American Privacy Rights Act (APRA): First Look & Summary


On April 7th, Congress surprised Americans by releasing a draft of a potential U.S. federal data privacy bill, the American Privacy Rights Act (APRA), along with a companion discussion draft.

It would give Americans control over their personal information and regulate the current patchwork of state-level legislation.

In this guide, I’ll discuss the APRA and how it may impact consumers and businesses.

Table of Contents
  1. What Is the American Privacy Rights Act (APRA)?
  2. APRA Key Terms and Definitions
  3. What Is the Purpose of the APRA?
  4. Who Supports the APRA?
  5. What’s Included in the APRA?
  6. APRA Impact on Businesses and Consumers
  7. APRA vs. ADPPA
  8. Future Outlook of the APRA

What Is the American Privacy Rights Act (APRA)?

The American Privacy Rights Act (APRA) is the newest iteration of a potential federal data privacy law moving through the U.S. government.

It gives Americans uniform rights and control regarding how their personal information is collected, processed, and used by third parties and gives consumers a private right of action.

APRA Effective Date

If passed, the APRA would become effective 180 days after enactment.

APRA Key Terms and Definitions

To help you better understand the APRA, read through our simplified definitions of some key terms introduced by the potential law:

What Is the Purpose of the APRA?

The APRA aims to provide U.S. citizens with a uniform, comprehensive consumer data privacy law and establish protections for covered data.

It sets standards for data minimization so companies only collect and use necessary data for limited purposes.

Who Supports the APRA?

The APRA was presented by:

What’s Included in the APRA?

Below, read through some of the main requirements included in the current draft of the American Privacy Rights Act:

APRA Impact on Businesses and Consumers

The APRA would impact businesses and consumers in the following ways:

How It Impacts Businesses

Some of the ways the APRA impacts covered businesses include requiring them to:

  • Have a compliant privacy policy in place.
  • Provide a mechanism for consumers to submit requests to follow through on their rights.
  • Perform privacy impact assessments as necessary.
  • Ensure their websites accommodate universal opt-out mechanism specifications two years after enactment of the law.
  • Implement security measures to protect the data from unauthorized access.

How It Impacts Consumers

Consumers under the APRA would have the following rights regarding their covered data:

  • Access the covered data an entity collected from them, the names of third parties to which the data was transferred, and a description of the purpose for which the data was transferred.
  • Correct inaccuracies in their data.
  • Delete their data.
  • Export their data in a portable format.
  • Opt-out of targeted advertising, the transfer of their data, and algorithms used for consequential decisions.
  • Opt-in to the collection of sensitive data.
  • Pursue private action against covered entities that violate their rights.


The APRA is similar to the ADPPA in that both:

  • Give users the right to access, correct, and delete their covered data.
  • Have guidelines focusing on data minimization.
  • Require opt-in consent for the collection of sensitive covered data.
  • Allow consumers to opt out of the transfer of their covered data.
  • Call for the establishment of a centralized opt-out mechanism.

However, some notable differences between the proposed laws include:

  • The APRA has a slightly broader definition of a large data holder than the ADPPA.
  • The APRA would preempt state laws but make provisions for stricter elements of laws, like the CCPA.
  • The APRA gives consumers a privacy right of action.

Future Outlook of the APRA

It’s still too early to tell what the future looks like for the APRA, but the proposed law currently appears to have bipartisan and bicameral support.

Lawmakers will most likely redraft the Act and have been quoted by sources like the IAPP as saying they’re “open to constructive feedback.”

Be sure to check back for future updates on the APRA.

Masha Komnenic CIPP/E, CIPM, CIPT, FIP
More about the author

Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP

Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author

Related Articles

Explore more resources