Senator Maria Cantwell and Representative Cathy McMorris Rodgers introduced a new federal privacy bill last week. Named the American Privacy Rights Act (APRA), the bill proposes a comprehensive set of privacy rights for consumers and compliance requirements for businesses, such as minimizing what data they collect and assessing the impacts of algorithms they build and deploy. The authors are clear on their intent: “The purposes of this act are to establish a uniform national data privacy and data security standard […]”
If this sounds familiar, that’s because we’ve been here before. Two years ago, the American Data Privacy and Protection Act (ADPPA) offered a similarly comprehensive proposal. But, like many bills, it withered in the House of Representatives.
What’s Different This Time?
The rights this bill grants consumers and the requirements it puts on businesses are very similar to its predecessor. But it faces a very different political and privacy atmosphere. President Biden’s executive order calling for improved data privacy protections kickstarted a conversation on foreign adversaries’ ability to easily buy or access Americans’ data and framed privacy as a national security concern. That drove the House of Representatives to introduce — and unanimously pass — a bill that would make it illegal for data brokers to sell or share Americans’ sensitive data with foreign adversaries’ governments.
Additionally, the FTC has fined many companies for inappropriately sharing or selling customer data. And California’s Attorney General’s Office has begun enforcing its state privacy law.
Aspects unique to the APRA include:
- Narrowed preemption of state laws. The APRA slightly broadens the list of exemptions. It doesn’t name the specific state laws that are exempt, unlike its predecessor, which leaves the door open for states to pass laws that fit within the exemption list. Still, preemption is a thorny issue. California buy-in is key to passing a federal law due to its existing comprehensive privacy laws and massive delegation in the House of Representatives. And the California Privacy Protection Agency has already voiced concerns about the proposed bill, particularly in areas where it feels the bill is weaker than existing state laws.
- Stronger enforcement, including private right of action. While preemption will upset Californians, the bill offers Democrats an olive branch by allowing individuals to sue companies that don’t comply with parts of the bill. The previous proposal did not support private right of action, which was a sticking point for Sen. Cantwell. The APRA also has a section about states enforcing the APRA and acknowledges states’ own regulatory powers, like attorneys general and the California Privacy Protection Agency.
- A carveout for small businesses. The APRA doesn’t apply to small businesses (companies with less than $40 million in annual revenue and who process data on fewer than 200,000 individuals), as long as they aren’t selling or sharing personal data with third parties. It would also exempt nonprofits whose mission is to prevent fraud. Both exemptions are unique to the APRA.
- A pilot program for privacy-preserving technology. The APRA would call on the FTC to create a pilot program “to encourage private sector use of privacy-enhancing technology” (otherwise known as privacy-preserving technology) to protect personal data and comply with the law. It shows how quickly the privacy field is changing — two years ago, privacy-preserving technology was buzzy; now, it’s established, so much so that my colleagues Enza Iannopollo and Heidi Shey wrote a category Landscape report on it.
What Can Marketers Expect?
Like all federal privacy bills, the APRA faces an uphill road. Preemption and the private right of action will spark ire on both sides of the aisle, and lawmakers have much to consider. At a hearing in the House Energy and Commerce Committee, committee members considered 10 privacy bills spanning children’s privacy to data brokers to social media regulation. But the consistency between this and the previous proposal reveal progress and a concerted effort for enacting:
- Fundamental privacy rights. Both bills would give American consumers the right to access, correct, delete, and export their data. They’d also have the ability to opt out of their data being transferred to third parties and/or used for targeted advertising.
- Special protections for sensitive data. While state laws each define sensitive data differently, all 15 states with privacy laws have placed restrictions on processing sensitive data without explicit consent. Datapoints that marketers use today, like precise geolocation, are increasingly difficult to access. IP addresses and cross-site tracking will face a similar fate in the near future.
- A national data broker registry. Data brokers would have to register as part of a national data broker registry. The registry would also feature a centralized opt-out process where consumers could submit a “do not collect” request, meaning data brokers wouldn’t be able to collect data on those consumers without their consent. Some lawmakers are calling for a universal “delete my data” request workflow too.
Amid this media storm of privacy headlines, our recommendations for marketers remain steady: Be strategic in what data you collect and share about customers, and ensure you are on the right side of their privacy expectations. Consumers, regulators, and lawmakers alike are all becoming increasingly privacy savvy, so be thoughtful and transparent about the data you do collect and ensure you’re delivering a value exchange back to the customer.