The American Privacy Rights Act (APRA) is an ambitious second shot at a US federal privacy law, announced on April 7 2024.
Unlike the vast majority of other countries, the US does not have a generally applicable privacy law. A patchwork of state and sector-specific laws provides an inconsistent set of individual privacy rights and a matrix of compliance obligations.
But even if the APRA passes, privacy law in the US will remain complicated. And if the bill fails, the US privacy landscape will likely get even more complex.
If the APRA passes: New rules for thousands of businesses
The APRA would impose new obligations on thousands of businesses across the US. The law would cover all businesses, except those covered by exemptions and any “small business” that:
- Has below $40 million revenue
- Processes fewer than 200,000 individuals’ covered data (subject to exceptions), and
- Does not earn revenue by transferring covered data to third parties.
If the APRA passes, it would take effect 180 days after enactment. APRA-covered entities would face many new legal obligations. Important provisions of the APRA include, among others:
- Strict data minimisation requirements: Processing of personal data would be generally prohibited, except for a set of pre-determined purposes.
- Individual rights to access, correct, delete, and export personal data, and to opt out of targeted advertising.
- A requirement to obtain opt-in consent before “transferring” sensitive data.
- An obligation to maintain reasonable data security practices and train employees on data security.
- New rules on automated decision-making with “consequential effects”.
- A private right of action enabling individuals to sue businesses that violate certain parts of the law.
Perhaps most importantly, the APRA would pre-empt the comprehensive state privacy laws that have passed in recent years in California, Colorado, Connecticut, Texas, Virginia, and many other states.
This means the new privacy rights afforded under these laws would no longer apply, with the APRA replacing them. Given that the APRA is weaker in certain areas, some Americans would lose certain state privacy protections.
The APRA would leave certain legislation untouched, including breach notification statutes, wiretapping laws, and specific laws like the Health Insurance Portability and Accountability Act (HIPAA) and Illinois’ Biometric Information Protection Act (BIPA).
But state authorities would lose their new-found enforcement rights, and the California Privacy Protection Agency (CPPA) has already voiced opposition to the APRA on this basis.
If the APRA fails: Complex state privacy laws continue to boom
The last attempt at a US privacy law, the American Data Privacy Protection Act (ADPPA) failed, mostly because state representatives objected to how the bill pre-empted state laws like the CCPA.
Since then, many more states have passed comprehensive privacy laws. So far in 2024:
- New privacy legislation has been enacted in New Jersey, New Hampshire, Kentucky, and Nebraska, bringing the total number of states with a comprehensive privacy law to 16.
- Maryland’s privacy bill awaits the state governor’s signature, with strict data minimisation standards that could become a model for future state laws. Several other states have similarly broad pending legislation.
- Washington’s My Health My Data Act (MHMDA) took effect on 31 March, Colorado passed privacy law amendments covering neural data, and California’s privacy regulations took effect following a court battle with industry representatives.
This boom in state-level privacy activity means federal lawmakers might struggle to obtain enough support to pass the APRA.
If the APRA fails, expect the state patchwork to become even more complicated as assemblies across the US seek to protect residents and regulate businesses.
HewardMills’ privacy experts are carefully tracking legal and regulatory developments in the US. Whether a federal law passes or state requirements continue to increase in scope and complexity, we can help your business adapt and excel in the new privacy-focused landscape.
