House and Senate Committee Chairs Propose Comprehensive Federal Privacy Act

PDF

House Committee on Energy and Commerce (House E&C Committee) Chair Cathy McMorris Rodgers (R-WA) and Senate Committee on Commerce, Science and Transportation (Senate Commerce Committee) Chair Maria Cantwell (D-WA) unveiled a discussion draft of a bipartisan, bicameral privacy bill on April 7th, marking a significant step forward for a federal data privacy and security standard. Cantwell touted the bill as “the protections Americans deserve in the Information Age” while Rodgers declared it “a bill whose time has come.”

The American Privacy Rights Act of 2024 (APRA) establishes rules governing the collection and use of consumer data, including consumer privacy rights and transparency requirements. Notably, the bill goes beyond protecting consumers’ privacy rights to also impose standards to protect the security of consumer data.

The bill provides exemptions for small businesses, defined as companies with annual revenue of $40 million or less who did not collect data on more than 200,000 consumers and did not transfer data to a third party in exchange for anything of value. Entities who collect information in compliance with certain other federal laws – such as financial institutions and healthcare providers – are exempt with respect to that information. Covered data is defined as information that identifies or is linked, or is reasonably linkable, to an individual or a device. Exempt data categories include de-identified data and employee data.

A section-by-section summary of the bill can be found here.

How We Got Here: Federal and State Legislative Background

A similar piece of legislation, the American Data Privacy and Protection Act (ADPPA), introduced in 2022 by House E&C Committee Chairman Frank Pallone (D-NJ), Rodgers, and Chairman of the Senate Commerce Committee Roger Wicker (R-MS), went on to pass the House E&C Committee on a bipartisan 53-2 vote. The ADPPA did not receive a vote by the full House, as Speaker of the House Nancy Pelosi expressed concern that the bill would preempt stronger state privacy laws, like the California Consumer Privacy Act (CCPA). Cantwell opposed ADPPA on the grounds that the enforcement measures were not strong enough. Cantwell has articulated her own views on privacy through introducing the Consumer Online Privacy Rights Act in 2019. The current legislative effort signifies the merger of these efforts as the two Washingtonians teamed up to negotiate the APRA.

While Congress has debated this issue, states have been moving forward with their own solutions. Comprehensive data privacy legislation has passed in seventeen state legislatures, with thirteen other states actively considering legislation. The federal privacy bill would, if enacted in its current form, preempt these state laws, replacing a multi-state regulatory framework with a single unified standard.

What It Means: Eight Takeaways for Your Business 

1. Data minimization principle

One of the most significant changes the bill would require is a shift in the company’s overall approach of its privacy program to one of “data minimization.” Data minimization requires a company to limit its collection and processing of data to what is necessary to achieve specific purposes articulated in the bill. This posture puts the burden on companies to protect consumers’ privacy rights through the way privacy programs are designed, instead of relying on consumers to exercise those rights through submitting requests for information or opt-out requests. It also means that companies may only collect and process data for a limited number of prescribed purposes, instead of any purpose that is disclosed in the company’s privacy policy. 

2. Privacy policy updates

The sponsors have described the bill as stronger than any state law on the books. Thus, even companies currently in compliance with the CCPA would have to adjust their practices to comply with this law, including what they disclose to consumers in their privacy policy. For example, the bill would require companies to disclose the name of data brokers and affiliates they transfer data to, notify individuals directly in advance of material changes to the privacy policy, and publish the privacy policy in other languages if the company offers products or services in that language. 

3. Limitations on targeted advertising

The bill would provide consumers with the right to opt out of targeted advertising, further accelerating the trend of data privacy laws limiting this practice. Advertising a product offered by a company whose webpage the consumer visited, advertising on a webpage based on the content of that webpage, and processing of data for measurement purposes is not considered targeted advertising. If a consumer opts out of targeted advertising, they could not be denied a product or service that uses targeted advertising as a revenue source, with the exception of loyalty programs that meet the bill’s requirements.

The bill also furthers the adoption of universal opt-out mechanisms, such as the Global Privacy Control, by requiring the Federal Trade Commission (FTC) to adopt rules on a centralized mechanism within two years of passage.

4. Impacts to vendor relationships

Companies will want to review and update their Data Processing Agreements with third party vendors if the bill passes. The bill would impose a number of standards on service providers who handle consumer data, including requirements related to assisting with consumer requests, deleting or returning data, selecting and using subprocessors, and conducting third party assessments. It would also mandate certain provisions to be covered in the contract between the service provider and the company. Companies would be required to conduct due diligence on service providers and third parties they transfer data to, under rules to be promulgated by the FTC.

5. Standards for data security

Besides limiting what data companies may collect on consumers, the bill would provide protections for the data that companies do collect. The bill would impose principle-based data security requirements, based on the company’s facts and circumstances, in addition to specified minimum requirements. These minimum requirements include: (i) a plan to receive and consider unsolicited reports of vulnerabilities, (ii) a data retention schedule, (iii) training for employees with access to consumer data, and (iv) procedures to respond to data security incidents. Additionally, companies would be required to designate a privacy or data security officer to facilitate compliance with the Act.

6. Certain types of data and companies subject to higher standards

Certain categories of data would be defined as “sensitive data” under the bill and subject to greater scrutiny. A few of these categories include government-issued identifiers, precise geolocation information, payment card data, and account log-in credentials. Companies will want to take a close look at the types of data they collect to ensure that any that fall on this list are necessary for a business purpose.

Companies with annual revenue over $250 million who collect data above a certain threshold number of consumers would be defined as “large data holders” and subject to several heightened requirements throughout the bill. These requirements include a certification – similar to that required by public companies under the Sarbanes-Oxley Act – by the CEO, the privacy officer and data security officer that the company’s internal controls and reporting structures are designed to comply with the Act. 

7. Significant enforcement authority

The bill contains significant private and public enforcement powers. It would grant private rights of action under several of its provisions, allowing individuals to recover actual damages and attorney’s fees. Even though many state privacy laws (with an enumerated list of exceptions) would be preempted by this bill, statutory damages under the Illinois Biometric Information Privacy Act, Illinois Genetic Information Privacy Act, and the California Consumer Privacy Act (as amended by the California Privacy Rights Act) are preserved. Finally, the bill would invalidate arbitration agreements with respect to violations involving minors under the age of 18 or violations that resulted in “substantial privacy harms.”

On the government enforcement side, state attorney generals would be given the power to enforce the federal law on behalf of their citizens. The FTC retains significant powers over these state enforcement actions, including the right to receive advance notice, intervene in the action, and file appeals. The FTC’s own enforcement power would be bolstered by the creation of a new Bureau dedicated to enforcing this Act that is similar in size to the two existing Bureaus.

8. Regulation of algorithms

As Congress has been debating how to regulate artificial intelligence, this bill seeks to take a significant stake in the matter by imposing rules on companies’ use of algorithms. The bill would require large data holders to perform impact assessments of algorithms that pose a “consequential risk of a harm” to areas the bill deems as particularly sensitive. These impact assessments would be disclosed to the FTC and to Congress upon request. Individuals would also be granted the right to opt out of algorithms that use personal information to make a determination or an offer related to access or equal enjoyment of housing, employment, healthcare, credit opportunities, education, insurance, or access to places of public accommodation. This opt-out requirement could have an impact on industries like healthcare and insurance that are deploying algorithms to determine coverage eligibility and cost.

Next Steps: Congressional Outlook and Industry Engagement 

As the bill is currently only in discussion draft form, it would need to be formally introduced before it can move through the legislative process. On April 17, the House E&C Committee held a legislative hearing to consider the APRA along with other data privacy and online safety bills. The hearing highlighted a consensus from members on both sides of the aisle that passing a comprehensive federal privacy bill is a goal they want to accomplish, although some of the details are still a work in progress. In her opening statement, Chair Rodgers characterized the bill as a way to stop the abuses of social media companies, which she claimed represented “digital tyranny” contrary to American values. While Ranking Member Pallone was not an official signatory to the APRA, he stated he was “optimistic that we’ll be able to get comprehensive privacy legislation across the finish line” and expressed his desire that children’s privacy provisions be strengthened, among other areas. 

On the other side of the Hill, Senator Ted Cruz (R-TX), Ranking Member of the Senate Commerce Committee, expressed some preliminary concerns with the bill, stating, “I cannot support any data privacy bill that empowers trial lawyers, strengthens Big Tech by imposing crushing new regulatory costs on upstart competitors or gives unprecedented power to the FTC to become referees of internet speech and DEI compliance.”

In order to pass, the bill will have to overcome the challenges that any legislation faces in today’s divided Congress and the distractions present in an election year. Impacted stakeholders will have a lot to say about the changes that this bill would bring to data privacy and the online advertising industry. The California Privacy Protection Agency expressed their concerns with the bill in a letter to the E&C Committee leaders dated April 16, claiming that it would weaken privacy protections for Californians. On the other hand, the bill represents a compromise between the leaders of the two relevant Committees who are both passionate about consumer privacy rights. With Rodgers set to retire at the end of 2024, enacting comprehensive federal privacy legislation could very well be a legacy issue for her.

The fact that the sponsors labeled the bill a discussion draft signals that they are open to feedback and suggestions from the business community on this consequential legislative proposal. If the bill does pass, companies will have to act quickly to adjust their compliance programs as the bill is set to take effect 6 months after passage.