Name: Daylight
Price range: $

Bipartisan American Privacy Rights Act Introduced in Congress

Why This Alert Is Important

In the absence of a federal privacy law, thirteen states have passed privacy legislation in the past several years. With the introduction of a bipartisan draft, the American Privacy Rights Act has the potential to reshape the US privacy landscape radically in the immediate future.

Overview of the American Privacy Rights Act

On April 7, 202424, Rep. Cathy McMorris Rodgers (R-WA) and Sen. Maria Cantwell (D-WA), chairs of influential committees in Congress, released the draft American Privacy Rights Act. This bipartisan piece of legislation could transform privacy rights in America, eliminating the patchwork of state privacy laws and setting clearly defined privacy rights and protections for Americans. The legislation establishes fundamental data privacy rights for Americans, grants them the ability to enforce their rights, protects civil rights, and holds companies accountable for protecting consumers’ private data.

Rights granted to citizens include:

Control over their own personal data
Access, correction, deletion, and portability of their data
Private right of action
Right to opt out of advertising, data processing, transfers, and sales

Other key provisions of the draft bill would:

Preempt existing state privacy laws with a single national privacy standard
Require companies to minimize the data they collect, keep, and use to what is necessary to provide products and services
Prevent the use of personal information for discrimination
Allow individuals to opt out of the use of AI for decision-making about housing, employment, healthcare, credit, insurance, or education
Require strong data security standards to prevent breaches, hacking, and other harm
Limit companies’ ability to force arbitration agreements that might impede consumers’ exercise of their rights

What APRA Covers

The law would apply to “covered entities” and “service providers,” categories that essentially correspond to data “controllers” and “processors” under the GDPR, respectively. Businesses and nonprofits alike are covered, with the largest exception being small businesses under $40 million in revenue, as long as they are not data brokers and do not “transfer covered data to a third party in exchange for revenue or anything of value.

Another key element of APRA would require data minimization by default. Covered entities could only collect, process, retain, and transfer data if it is necessary and proportionate to the provision of products or services requested by the individual. This would be a major change from previous US and state-level regulations, which have allowed collection or processing by default with certain defined exceptions.

Sensitive and teen data would be highly regulated and require explicit consent. Children’s data would be covered via a merger with the COPPA 2.0 bill currently making its way through Congress.

The proposed Act signifies a monumental step towards enhancing privacy protections and setting a national benchmark for responsible data privacy and governance in the US. There is a significant shift towards user-centric data practices, as consumers will gain the right to access, correct, delete, and export their data, as well as opt out of targeted advertising and the transfer of their data. The Act also introduces measures to prevent data-driven discrimination and mandates impact assessments for algorithms that could pose risks of harm, promoting fairness and equity.

Covered entities are required to disclose their data handling practices through publicly accessible privacy policies and to appoint privacy or data security officers, ensuring accountability. The principle of data minimization is set to be enforced, limiting data collection and usage to what is necessary and prohibiting the transfer of sensitive data without explicit consent. The Federal Trade Commission, state attorneys general, and consumers themselves will have enforcement powers.

Data Alert Tip

By identifying data that is no longer required or allowed to be retained, Exterro Data Discovery can help you comply with the data minimization requirements of APRA. Find out other use cases in our new infographic.

E-Discovery Workflows

Legal Hold

Comprehensive Interview

In-Place Preservation

ECA, Collection & Processing

E-Discovery Data Management

Review

Employee Change Monitor

Data Source Discovery

Legal Project Management

FOIA & Public Records Response

Digital Forensics Products

FTK Forensic Toolkit

FTK Lab

FTK Imager

FTK Enterprise

FTK Connect

FTK Central

FTK Product Downloads

Privacy and Data Governance Suite

Data Discovery

Data Retention

RoPA/Data Mapping

Assessments Manager

Consent Management

Data Subject Access Request

Cybersecurity Compliance Workflows

Smart Breach Review

FTK Enterprise

Law Enforcement Forensic Workflows

FTK Forensic Toolkit

FTK Lab

FTK Imager

FTK Connect

FTK Central

Exterro Data Risk Management Platform

What is Data Risk Management?

Find a Partner

Artificial Intelligence

Law Firms

Law Enforcement

Public Sector

Corporations

Service Providers

IT

E-Discovery

Forensic Investigation Team

Law Enforcement Team

Privacy and Data Governance

Cybersecurity Compliance

Resources by Content Type

Resources by Role & Team

Resources by Role & Team

Events + Webinars

FTK Podcast

Training & Certification

E-Discovery Workflows

Legal Hold

Comprehensive Interview

In-Place Preservation

ECA, Collection & Processing

E-Discovery Data Management

Review

Employee Change Monitor

Data Source Discovery

Legal Project Management

FOIA & Public Records Response

Digital Forensics Products

FTK Forensic Toolkit

FTK Lab

FTK Imager

FTK Enterprise

FTK Connect

FTK Central

FTK Product Downloads

Privacy and Data Governance Suite

Data Discovery

Data Retention

RoPA/Data Mapping

Assessments Manager