On April 7, the United States House Committee on Energy and Commerce released the American Privacy Rights Act. This is a bipartisan, bicameral bill introduced by Rep. Cathy McMorris Rodgers (R-WA) and Sen. Maria Cantwell (D-WA). This is not the first attempt at a federal US data privacy law, however. The last significant attempt at a federal law made some headway in 2022. The failure of that bill (ADPPA) exemplifies the significant challenge of passing a federal law at a time when several states already have their own laws.
A Background of Data Privacy Laws
In 2018, the GDPR (General Data Protection Regulation) became a law in the EU. This law presented a seismic shift in the data privacy landscape. The GDPR granted consumers significant control over their online personal data. At the same time, it created substantial restrictions on businesses who previously enjoyed largely unfettered access to consumer data.
Germany created the first data privacy law in 1970, establishing strict rules around the collection of data. Since then, other nations created similar legislation to protect individuals and restrict the collection and dissemination of personal information. However, it was not until the GPDR came about that a law specifically addressed online personal data. And the changes that this new law required were massive. And while they represent a huge step in the right direction for consumers, these new laws mean that businesses must make significant changes to their websites and the way in which they handle consumer data.
Shortly after the GDPR took effect, several other countries (not in the EU) created their own data privacy laws. Though, to date, none offer the level of consumer protection that the GDPR provides.
Data Privacy Laws in the United States
When the GDPR became law, the cries grew louder for the United States to pass similar legislation to protect US consumers. However, as one might expect, this is easier said than done in a nation of 50 states with very divided leadership. One the one side, you have people pushing for strong consumer protection similar to that afforded by the GDPR. On the other, you have those who firmly support businesses and don’t want to limit their ability to collect consumer data.
In light of this, it’s actually remarkable that multiple bipartisan bills have come to the fore. However, it does make sense. Consumer advocates want to give greater control to individuals to control their personal information. But business advocates are seeing individual states passing their own data privacy laws. And this creates an undue burden on businesses that now have to make sure that they are in compliance with (now) 19 separate laws.
So the motivation is there on all sides to establish a federal data privacy law. But the devil, as they say, is in the details.
The American Data Privacy and Protection Act (ADPPA)
By 2022, California had already passed the state’s own data privacy law (CCPA). A handful of other states were poised to follow suit. The writing was on the wall that made it clear that if a national data privacy law was not imminent, states would take matters into their own hands. Reps. Frank Pallone (D-NJ) and Cathy McMorris Rodgers (R-WA), and Sen. Roger Wicker (R-MS) introduced the ADPPA.
A key component of the ADPPA was data minimization. Data minimization means that businesses can collect only data that is necessary for specific needs. Such needs include things like user authentication or processing an order. While the business needs were specified and limited, one of the needs included targeted advertising. Such an inclusion certainly undercuts any real sense of data privacy.
What Caused the ADPPA to Fail?
But there were two key areas that ultimately stalled the bill for good. The first is the preemption of state laws. After all, the goal of a federal law is establish a single law for businesses to follow. However, the authors of the bill included certain exceptions to account for provisions in the California and Illinois state laws. The goal of these exceptions was likely to achieve more buy-in, but it ultimately just weakened the bill as a whole.
The other major sticking point was private right of action. Lawmakers attempted to find a middle ground between protecting businesses from excessive lawsuits, and allowing individuals to pursue legal action if they were affected by a noncompliant business. The ADPPA determined that if a company were to be in violation of the law, the FTC and state attorneys general would levy penalties. An individual could also file a lawsuit, but they would first be required to inform the FTC and their state’s attorney general of their intent. If either the FTC or attorney general decided to take action, then the individual would no longer be allowed to file suit. Additionally, a company/data holder would have 45 days to remedy the issue and request a dismissal. This proposed solution failed to provide the individual protections that some state laws already provide, and wouldn’t necessarily protect businesses from frivolous lawsuits.
The American Privacy Rights Act (APRA)
After the ultimate demise of the ADPPA, Rep. Rodgers collaborated with fellow Washington state legislator, Senator Maria Cantwell, to create the American Privacy Rights Act. The APRA does build off some of the failures of the ADPPA. But it also suffers from some of the same flaws that doomed its predecessor. These are some of the key features of the new bill.
Data Minimization
As with the ADPPA, the APRA specifies that companies can’t collect more data than what is necessary. It defines permitted purposes for which a company can collect data. Those are “protecting data security; complying with legal obligations; effectuating a product recall or fulfilling a warranty; conducting market research (which requires
affirmative express consent for consumer participation); de-identifying data for use in product improvement and research; preventing fraud and harassment; responding to ongoing or
imminent security incidents or public safety incidents; processing previously collected nonsensitive covered data for advertising.” As noted above, the inclusion of advertising as a permitted purpose is a loss for consumers. But a bill would have no chance of passing without this allowance.
Transparency
Organizations must have privacy policies that clearly describe the data they collect from users. This includes the category of data they are collecting, the purpose for doing so, and the length of time this data is retained. They must also disclose whether they share this data and with whom. The privacy policy must describe how an individual can exercise their rights and opt out.
Consumer Controls Over Covered Data
Under APRA, consumers will be able to access any personal data that an organization has collected about them. They also have the right to correct that data, or request the organization to delete it or export it. As we described in our article about how data privacy laws impact your website and your organization, this is a feature of all data privacy laws. If you’re a website owner, make sure you have a well-organized system in place that manages your user/customer data. Otherwise, when a request like this comes in, you will be left scrambling with the prospect of a severe penalty hanging over your head if you don’t comply in time.
Opt-Out Rights
A user can opt out of the transfer of their personal data to other parties. They can also opt out of their data being used for targeted advertising. An interesting addition to this is that it requires the FTC to establish a “centralized opt-out mechanism.” This will need to be developed within 2 years after the bill becomes law. This is not something that currently exists but this could be a big can of worms. The FTC will have to create this mechanism. And organizations will need to establish a way to connect to it so they can determine if anyone in their database is present on this centralized opt-out list. Such a requirement will have a wide-ranging impact on CRM and email service providers, in addition to the individual organizations.
Federal Trade Commission Enforcement
There are a couple notable items related to the FTC. The bill directs the FTC to create a bureau to carry out its authority. Also, they will set up a relief fund to provide consumer redress. With a dedicated bureau in place to enforce data privacy compliance, affected businesses will need to ensure that they have everything in order by the required deadline.
Enforcement By Individuals
Learning from the ADPPA’s failure, the APRA broadens data privacy protections by allowing individuals to pursue action regardless of whether the FTC or attorney general also takes up the case. Businesses will have 30 days to remediate before penalties are levied, except in cases where a violation has resulted in substantial harm.
Preemption
Preemption has been the single largest sticking point in the federal privacy law. In California’s case, any federal law put forward has been a watered down version of the California law. So California lawmakers have been reluctant to agree to a law that reduces data privacy protections. Illinois is in a similar position, as they have specific provisions in their state law that is not included in federal bills. Both the ADPPA and APRA face the same challenge on this front. Components of these state bills are too strict to be accepted by all states. But adding exceptions for the two states (which is what they’ve done) undermines the purpose of a national bill.
The Uncertain Future of the APRA
Many are optimistic about this incarnation of a federal data privacy law. It has resolved a number of the sticking points that were present in prior data privacy laws. But there are still some – preemption, in particular – that are likely to face considerable pushback. As more and more states (19, to date) pass their own data privacy laws, it will only increase the difficulty at passing a federal law. So, lawmakers understand that time is of the essence.
