Skip to content

Data Risk Management

Bipartisan American Privacy Rights Act Introduced in Congress

Why This Alert Is Important

In the absence of a federal privacy law, thirteen states have passed privacy legislation in the past several years. With the introduction of a bipartisan draft, the American Privacy Rights Act has the potential to reshape the US privacy landscape radically in the immediate future.

Overview of the American Privacy Rights Act

On April 7, 202424, Rep. Cathy McMorris Rodgers (R-WA) and Sen. Maria Cantwell (D-WA), chairs of influential committees in Congress, released the draft American Privacy Rights Act. This bipartisan piece of legislation could transform privacy rights in America, eliminating the patchwork of state privacy laws and setting clearly defined privacy rights and protections for Americans. The legislation establishes fundamental data privacy rights for Americans, grants them the ability to enforce their rights, protects civil rights, and holds companies accountable for protecting consumers’ private data. 

Rights granted to citizens include: 

  • Control over their own personal data 
  • Access, correction, deletion, and portability of their data 
  • Private right of action 
  • Right to opt out of advertising, data processing, transfers, and sales 

Other key provisions of the draft bill would: 

  • Preempt existing state privacy laws with a single national privacy standard 
  • Require companies to minimize the data they collect, keep, and use to what is necessary to provide products and services 
  • Prevent the use of personal information for discrimination 
  • Allow individuals to opt out of the use of AI for decision-making about housing, employment, healthcare, credit, insurance, or education 
  • Require strong data security standards to prevent breaches, hacking, and other harm 
  • Limit companies’ ability to force arbitration agreements that might impede consumers’ exercise of their rights 

What APRA Covers

The law would apply to “covered entities” and “service providers,” categories that essentially correspond to data “controllers” and “processors” under the GDPR, respectively. Businesses and nonprofits alike are covered, with the largest exception being small businesses under $40 million in revenue, as long as they are not data brokers and do not “transfer covered data to a third party in exchange for revenue or anything of value.

Another key element of APRA would require data minimization by default. Covered entities could only collect, process, retain, and transfer data if it is necessary and proportionate to the provision of products or services requested by the individual. This would be a major change from previous US and state-level regulations, which have allowed collection or processing by default with certain defined exceptions. 

Sensitive and teen data would be highly regulated and require explicit consent. Children’s data would be covered via a merger with the COPPA 2.0 bill currently making its way through Congress. 

The proposed Act signifies a monumental step towards enhancing privacy protections and setting a national benchmark for responsible data privacy and governance in the US. There is a significant shift towards user-centric data practices, as consumers will gain the right to access, correct, delete, and export their data, as well as opt out of targeted advertising and the transfer of their data. The Act also introduces measures to prevent data-driven discrimination and mandates impact assessments for algorithms that could pose risks of harm, promoting fairness and equity. 

Covered entities are required to disclose their data handling practices through publicly accessible privacy policies and to appoint privacy or data security officers, ensuring accountability. The principle of data minimization is set to be enforced, limiting data collection and usage to what is necessary and prohibiting the transfer of sensitive data without explicit consent. The Federal Trade Commission, state attorneys general, and consumers themselves will have enforcement powers. 

Fahad Diwan, JD, FIP, CIPP/M, CIPP/C, Director of Product, Privacy, Exterro

Data Alert Tip

By identifying data that is no longer required or allowed to be retained, Exterro Data Discovery can help you comply with the data minimization requirements of APRA. Find out other use cases in our new infographic.

Ready to Get Started?

Get an Exterro data risk management platform demo today.

Get a Demo