Skip links
Map of America with Flag and title American Privacy Rights Act

Towards a Unified Data Privacy Standard: The American Privacy Rights Act Unveiled

The American Privacy Rights Act (APRA) is a proposed bill that aims to establish a national standard for data privacy across the United States. Senator Maria Cantwell and Representative Cathy McMorris Rodgers introduced the bill in April 2024. If passed, it could significantly change how American consumers interact with their personal information.

The APRA proposes a federal law establishing a single set of rules for data privacy across all 50 states. This would offer businesses much-needed clarity and consistency in handling personal information.

Key definitions under American Privacy Rights Act

Covered Algorithm: The term “covered algorithm” refers to a computation that utilizes machine learning, statistics, or other artificial intelligence techniques to aid in decision-making or support human decision-making. This process involves using covered data to determine the delivery or display of information to an individual, such as ranking, ordering, promoting, recommending, amplifying, or similar actions that determine the provision of products or services.


Covered Data: The term “covered data” refers to information that can identify an individual or a device that can be linked to one or more individuals. This information can be linked alone or in combination with other information.


It does not include-

  1. de-identified data
  2. employee information
  3. publicly available information
  4. inferences made exclusively from multiple independent sources of publicly available information provided that such inferences— 
    • do not reveal any sensitive covered data related to an individual; and
    • are not combined with covered data.
  5. information in the collection of a library, archive, or museum if the library, archive, or museum is open to the public or routinely made available to researchers who are not affiliated.
    • do not reveal any sensitive covered data related to an individual; and
    • are not combined with covered data.


Covered Entity: The entities determining the purpose and means of processing the data alone or jointly with others are the Covered Entities. These include: 

  • Businesses are subject to the U.S. Federal Trade Commission’s authority. 
  • Common carriers. 
  • Nonprofits.

Excluding small businesses if all the following apply: 

  • They have less than USD 40 million in annual revenue. 
  • They process covered data of less than 200,000 individuals, with exceptions. 
  • They do not earn revenue from transferring covered data to third parties.


Sensitive Data: Sensitive data is a broad term that includes various types of personal information, such as government IDs, health records, biometric data, genetic information, financial details, precise location data, login credentials, private communications, sexual behavior, calendar or address book data, phone logs, private photos and recordings, intimate imagery, video viewing activity, race, ethnicity, national origin, religion or sex, online activities across third-party websites, information about minors under 17, and any other data that the FTC considers sensitive covered data by regulation.


Data Broker: The term “data broker” refers to an entity that primarily generates revenue by processing or transferring covered data, which the entity has not obtained directly from the individuals who may be linked to said data.


Large Data Holder: The term “large data holder” means a covered entity or service provider that, in the most recent year, had an annual gross revenue of not less than $250,000,000 and has processed-

  1. the covered data of— 
  2. more than 5,000,000 individuals.
  3. 15,000,000 portable connected devices that identify or are linked or reasonably linkable to 1 or more individuals, and
  4. 35,000,000 connected devices that identify or are linked or reasonably linkable to 1 or more individuals.
  5. the sensitive covered data of—
  6. more than 200,000 individuals.
  7. 300,000 portable connected devices that identify or are linked or 3 reasonable linkable to 1 or more individuals; and
  8. 700,000 connected devices that identify or are linked or reasonably 5 linkable to 1 or more individuals.

A “large data holder” does not include entities or providers who collect, process, retain, or transfer data to a service provider solely for –

  1. personal mailing or email addresses.
  2. personal telephone numbers.
  3. log-in information of an individual or device.
  4. information that facilitates payments for goods or services (except the entity that facilitates payment, such as a bank, payment platform, etc.)


Key obligations

Data Minimization

Like other privacy laws, processing personal data is prohibited by American Privacy Rights Act (APRA) unless it is necessary to maintain a specific product or service requested by the individual or to communicate with the individual if the communication is reasonably anticipated within the context of their relationship.

APRA further provides that a Covered entity or a service provider –

  • Shall not transfer Sensitive Covered Data to a third party without the affirmative express consent of the Individual.
  • Shall not collect, process, or retain biometric information or genetic information without the affirmative express consent of the individual.

Exceptions: There are certain exceptions to the rule of data minimization, some of which are given below-

  • To protect data security
  • To comply with a legal obligation
  • To defend cognizable legal claims
  • To conduct market research
  • In the public interest.

Transparency

Privacy Policy: The Act provides that every Covered Entity/ Service Provider shall have a Privacy Policy that provides a detailed and accurate representation of the data collection, processing, retention, and transfer activities.

Privacy policies must include specific information as prescribed by the act, such as the categories of covered data, purposes of processing, third parties, and the names of any data brokers to whom data is transferred.

Any Material changes made in the Privacy Policy would require pre-notification and means of opting out pursuant to such material change.

After enactment of this act, the Large Data Holders would be required to retain on their website a copy of every previous version of their privacy policy for at least 10 years, and they must also provide a log that clearly describes significant changes to their privacy policy during a 10-year period.

Consumer rights

This section grants individuals right related to their personal data held by covered entities:

Right to access: The right to access their covered data in a human-readable format, including the sources from where it was collected and details on transfers to third parties/service providers.

Right to correct inaccurate or incomplete covered data.

Right to delete their covered data held by the covered entity.

Right to Portability: Users can export their covered data in a portable, machine-readable format. 

Covered entities, after verifying requests, are required to respond within 15 days if they hold large amounts of data and within 30 days for other entities. The first three requests per year are free of charge, and reasonable fees may be charged thereafter. Certain exceptions may allow for denying requests, such as cases of fraud, legal obligations, and access to sensitive data of others. 

Large data holders must report annually on metrics related to privacy requests received and complied with.

Opt-out Rights

The covered entity would be required to provide the individuals with the right to opt out of ‘covered data transfers’ and ‘targeted advertisement’.

Interference with consumer rights:

The act prohibits using Dark patterns if they interfere with notice, consent, or choice. It is also illegal to condition the exercise of rights based on misleading or fraudulent statements.

“Dark patterns” are website designs that manipulate user behavior, decision-making, and choice.

Service Providers and Third Parties

  • Service providers must comply with the instructions of the covered entity while handling covered data. They are not allowed to combine data from different covered entities unless necessary for a permitted purpose. Service providers must establish reasonable measures to ensure the security and confidentiality of the data. They must also permit assessments by the covered entity or arrange for independent audits. Additionally, contracts with covered entities must explicitly govern the data handling procedures.

  • Third Parties refer to entities, not original data collectors or owners. These third parties are not allowed to use, keep, or share the data for any purpose other than what was initially disclosed by the original data collector or owner. However, they can rely on the data treatment expectations that have been communicated to them by the original data collector or owner. Third parties are exempt from the requirement to minimize the data they collect. Still, they have the same responsibilities as the original data collector or owner under the Act. This section ensures that service providers and third parties cannot violate the Act if the original data collector or owner has properly transferred the data.

Prohibiting Discriminatory Data Practices


The provision aims to prevent discriminatory data practices and regulate the use of AI and algorithms that make consequential decisions using covered data.

The American Privacy Rights Act prohibits covered entities from using protected characteristics such as race, color, religion, national origin, sex, or disability status to discriminate while collecting, processing, retaining, or transferring covered data. The prohibition applies to various areas such as housing, employment, credit, education, and the provision of goods or services. However, there are some exceptions allowing the use of covered data for certain purposes, such as preventing unlawful discrimination, diversifying applicant or customer pools, and advertising economic opportunities to underrepresented groups. Additionally, the Act regulates the use of algorithms and AI systems.


It also imposes requirements on using “covered algorithms” – computational processes like machine learning that make decisions or facilitate human decision-making using covered data.


The key requirements are:

  • Annual Impact Assessments: Large data holders must assess algorithms with consequential risks annually, publish the results, and submit them to the FTC.
  • Pre-Deployment Evaluations: Entities must evaluate algorithm design, structure, and inputs to assess and reduce risks of potential harm before deployment. Evaluations must be submitted to the FTC.
  • Opt-Out for Consequential Decisions: If an algorithm is used for consequential decisions in areas such as housing, employment, healthcare, insurance, credit, etc., entities must provide notice and an opportunity for individuals to opt-out of such use.

Additional obligations

Data brokers, a type of covered entity, have specific obligations they must fulfill. These includes-

  • providing special notices to consumers and registering on the FTC-managed registry.
  • They must respect consumers’ “Do Not Collect” requests through the centralized opt-out mechanism established by the FTC. It’s important to note that once this mechanism is established, the private right of action applies to this obligation.
  • data brokers may not rely on the “bona fide loyalty program” with the exception of the prohibition on retaliation.


Covered high-impact social media companies must also:

  • They should consider individuals’ activities on their platforms as sensitive data, regardless of whether the data is collected over time or across other websites or services.
  • Any advertising displayed on their platform over time should be considered targeted advertising, with some exceptions.
  • They cannot use the “bona fide loyalty program” exception to justify any form of retaliation prohibited by the regulations.

Effective date

The Act will take effect 180 days after enactment, except for provisions such as the FTC’s rulemaking authority, which will take effect immediately.

Conclusion

The American Privacy Rights Act (APRA) is a proposed framework for data privacy regulation in the United States. The purpose of this bill is to standardize data privacy practices across all states, which will offer clarity for businesses and give more control to consumers over their personal information. The APRA emphasizes transparency and accountability and prohibits discriminatory practices. Once enacted, APRA would be a significant step towards building confidence in the digital age.

PrivacyPillar is committed to helping businesses navigate the complexities of this legislation. We ensure adherence to regulatory requirements while maintaining the highest data protection and integrity standards. Partner with PrivacyPillar if your business needs guidance on compliance with the American Privacy Rights Act (APRA). We provide tailored solutions and expertise safeguarding consumer privacy in an ever-changing digital landscape.