On this week’s docket, the US Legislature ponders the reality of passing a Federal data privacy law: The American Privacy Rights Act (APRA). We’ve seen this process play out before without much success, but will this new political dance be its final bow?
On April 7, 2024, Chairs Cathy McMorris Rodgers (R-WA) and Maria Cantwell (D-WA) jointly introduced APRA. If passed, this legislative proposal would establish a federal privacy framework that would disrupt the current fragmented data privacy framework.
While it will place more legal obligations on US publishers, it will be a breath of fresh air to follow one privacy law instead of several state ones.
APRA strongly emphasizes empowering American consumers with greater control over their personal information. This control extends to various aspects, including the management, correction, deletion, and restriction of the sale or transfer of their data. In essence, the bill seeks to democratize data governance by ensuring that individuals have a say in how corporations and other entities handle their information.
In layman’s terms, this bill would follow the EU’s lead of explicit consent.
APRA’s Critical Features and Updates
One of the APRA’s notable features is its comprehensive approach to regulating data collection practices. Nowadays, companies amass vast amounts of data, often without clear justification or consent; the bill introduces measures to curtail such practices. It mandates that companies only collect data necessary for their services, thereby promoting data minimization.
Moreover, APRA introduces robust protections for sensitive information, encompassing a wide range of data, including but not limited to online activities and biometric data. By broadening the definition of sensitive information, the bill seeks to adapt to the evolving data privacy threats, where personal data is increasingly exploited for nefarious purposes.
A novel aspect of the APRA is its recognition of social media platforms’ growing influence in shaping the digital ecosystem. To this end, the bill introduces the concept of “high-impact social media companies,” defined as platforms meeting certain revenue generation and user engagement criteria.
By singling out these entities for heightened scrutiny, the bill acknowledges their outsized role in mediating online interactions and shaping public discourse. In short, the walled gardens.
In addition to regulating data practices, the APRA strongly emphasizes transparency and accountability. Covered entities are required to make their privacy policies readily accessible to consumers, providing clear information about data handling practices and giving individuals the ability to exercise their rights effectively. This transparency fosters trust between consumers and businesses and also serves as a deterrent against unethical data practices.
How Will Regulators Enforce APRA?
Enforcement mechanisms are critical to any privacy legislation, and the APRA is no exception.
The bill empowers multiple stakeholders, including the Federal Trade Commission (FTC), state attorneys general, and individual consumers, to hold violators accountable. Importantly, it grants consumers the right to initiate private lawsuits against entities that infringe upon their privacy rights, thereby providing a potent deterrent against misconduct.
Furthermore, APRA adopts a preemptive approach towards state privacy laws, seeking to harmonize regulatory standards across the nation. While this preemption has drawn criticism from some quarters, proponents argue that it is necessary to avoid regulatory fragmentation and provide clarity for businesses operating in multiple states.
Is APRA’s Passing a Real Possibility?
Remember when we thought ADPPA might pave the road towards a federal privacy regulation? Well, it didn’t pass the Senate. Advertising and privacy groups like Privacy for America called out the proposed bill, which became a major hindrance. For instance, Privacy for America did not believe the bill was comprehensive enough to distinguish between bad and healthy advertising practices.
More specifically, the organization said, “Privacy legislation should distinguish between harmful practices that should be prohibited and responsible data practices like advertising that provide valuable information to consumers and are essential to innovation and economic growth.”
It seems APRA is facing the same issues. According to Jessica B. Lee, Chief Privacy & Security Partner at Loeb & Loeb LLP, this bill is unlikely to pass because several issues stand in the way of federal privacy: politics, preemption, and the private right of action.
“In terms of politics, we have already seen California’s enforcement agency come out strongly against the bill (and they worked hard to kill the last attempt at federal privacy) and its attempt to preempt certain state laws,” said Lee. “Likewise, Ted Cruz has raised concerns with the privacy right of action and potential expansion of power for the FTC. As we head into election season, it is unclear to me that there is enough alignment to push this through this year.”
APRA’s Impact on Publishers
If the bill does pass, what do publishers have to consider?
David Shonka, Partner at Redgrave LLP, said, “The 180-day lead time is very short for setting up any new processes and procedures that compliance will require.” From his perspective, there are three things publishers should consider:
- They should sit down with their lawyers and stakeholders to discuss what the law means and how it applies to them.
- Gain a comprehensive understanding of their data, including its sources, storage, usage, sharing practices, and methods for tracking, storing, and safeguarding it.
- Build processes and procedures to meet the Act’s requirements.
APRA could significantly impact advertising. It defines sensitive data as “online activities over time and across third-party websites.” Collecting or sharing such data requires affirmative express consent.
As Lee points out, while APRA allows opt-out for targeted advertising (excluding measurement, first-party, and contextual advertising), including online browsing data in the definition of sensitive information means targeted advertising data cannot be used without consent. Publishers with investments in first-party data for the post-third-party cookie era will benefit if ARPA passes. Nevertheless, shifting from opt-out to opt-in will cause substantial upheaval in an industry already facing significant changes.