On April 7th, Congress surprised Americans by releasing a draft of a potential U.S. federal data privacy bill, the American Privacy Rights Act (APRA), along with a companion discussion draft.
It would give Americans control over their personal information and regulate the current patchwork of state-level legislation.
In this guide, I’ll discuss the APRA and how it may impact consumers and businesses.
What Is the American Privacy Rights Act (APRA)?
The American Privacy Rights Act (APRA) is the newest iteration of a potential federal data privacy law moving through the U.S. government.
It gives Americans uniform rights and control regarding how their personal information is collected, processed, and used by third parties and gives consumers a private right of action.
APRA Effective Date
If passed, the APRA would become effective 180 days after enactment.
APRA Key Terms and Definitions
To help you better understand the APRA, read through our simplified definitions of some key terms introduced by the potential law:
What Is the Purpose of the APRA?
The APRA aims to provide U.S. citizens with a uniform, comprehensive consumer data privacy law and establish protections for covered data.
It sets standards for data minimization so companies only collect and use necessary data for limited purposes.
Who Supports the APRA?
The APRA was presented by:
- The House Committee on Energy and Commerce Chair Cathy McMorris Rodgers (R-Wash)
- The Senate Committee on Commerce, Science, and Transportation Chair Maria Cantwell (D-Wash)
What’s Included in the APRA?
Below, read through some of the main requirements included in the current draft of the American Privacy Rights Act:
APRA Impact on Businesses and Consumers
The APRA would impact businesses and consumers in the following ways:
How It Impacts Businesses
Some of the ways the APRA impacts covered businesses include requiring them to:
- Have a compliant privacy policy in place.
- Provide a mechanism for consumers to submit requests to follow through on their rights.
- Perform privacy impact assessments as necessary.
- Ensure their websites accommodate universal opt-out mechanism specifications two years after enactment of the law.
- Implement security measures to protect the data from unauthorized access.
How It Impacts Consumers
Consumers under the APRA would have the following rights regarding their covered data:
- Access the covered data an entity collected from them, the names of third parties to which the data was transferred, and a description of the purpose for which the data was transferred.
- Correct inaccuracies in their data.
- Delete their data.
- Export their data in a portable format.
- Opt-out of targeted advertising, the transfer of their data, and algorithms used for consequential decisions.
- Opt-in to the collection of sensitive data.
- Pursue private action against covered entities that violate their rights.
APRA vs. ADPPA
The APRA is similar to the ADPPA in that both:
- Give users the right to access, correct, and delete their covered data.
- Have guidelines focusing on data minimization.
- Require opt-in consent for the collection of sensitive covered data.
- Allow consumers to opt out of the transfer of their covered data.
- Call for the establishment of a centralized opt-out mechanism.
However, some notable differences between the proposed laws include:
- The APRA has a slightly broader definition of a large data holder than the ADPPA.
- The APRA would preempt state laws but make provisions for stricter elements of laws, like the CCPA.
- The APRA gives consumers a privacy right of action.
Future Outlook of the APRA
It’s still too early to tell what the future looks like for the APRA, but the proposed law currently appears to have bipartisan and bicameral support.
Lawmakers will most likely redraft the Act and have been quoted by sources like the IAPP as saying they’re “open to constructive feedback.”
Be sure to check back for future updates on the APRA.
