CCPA/CPRA, U.S. Laws & Regulations
In an uncommon display of bipartisanship, on April 7, 2024, Sen. Maria Cantwell (D-Wash.) and Rep. Cathy McMorris Rodgers (R-Wash.) introduced the American Privacy Rights Act (APRA), a landmark bill set to transform privacy legislation in the United States. As the only G-20 nation without a national privacy law, the U.S. lags significantly behind the rest of the world, with 137 out of 194 countries already implementing legislation.
The urgency of this bill is underscored by recent events, including President Biden’s reauthorization of the Foreign Intelligence Surveillance Act, which has a history of allowing the collection of vast amounts of web and cellphone data from Americans. Additionally, concerns about data misuse have been amplified by scandals such as General Motors sharing customer driving behavior data with insurance companies.
Let’s take a look at the APRA itself and what could be expected of US organizations to comply.
American Privacy Rights Act Scope
APRA’s scope is impressively broad, encompassing not only tech companies but also not-for-profits and common carriers. It proposes stringent restrictions on data collection and sharing, including requirements for transparency and consumer control over their data. Notably, it empowers individuals to opt out of targeted advertising and data collection by brokers, while also granting them the right to seek financial damages for privacy violations.
Key Elements of the American Privacy Rights Act
Under APRA, companies would be required to limit the collection and use of consumer data, empowering individuals with greater control over their personal information. The legislation builds upon previous efforts such as the American Data Privacy and Protection Act (ADPPA), with notable enhancements to address evolving cybersecurity threats and technological advancements. Here are some of the key elements of the proposed legislation:
-
- Covered Data Definition: APRA’s definition of Covered Data is slightly broader than ADPPA but still lacks clarity on “inference” compared to CCPA.
- Exclusions: APRA excludes certain data from Covered Data, including “inferences made exclusively from multiple independent sources of publicly available information.”
- Terms to Note: Definitions like “Affirmative express consent,” “Biometric information,” and others are crucial for businesses to understand and comply with APRA.
- Transfer of Sensitive Data:
-
- Prohibited Transfers: APRA prohibits transferring sensitive covered data without individual consent, imposing civil enforcement for violations.
- Affirmative Express Consent: APRA’s requirement for consent poses challenges for businesses, given the broad definition of sensitive data.
- Requested Protections: CPPA suggests APRA include protections for sensitive information like sexual orientation and union membership.
-
- FTC’s Role: FTC has two years under APRA to clarify global opt-out requirements, allowing individuals to designate preferences.
- Compliance Requirement: Covered entities must respect individual designations made through any mechanism.
- Non-Retaliation and Non-Discrimination Provisions:
-
- Prohibited Actions: APRA prohibits retaliation against individuals exercising their rights and discrimination based on certain criteria.
- Exceptions: The prohibition on discrimination does not apply to advertising or marketing efforts.
-
- Consent Requirement: APRA mandates affirmative express consent for participation in loyalty programs, with provisions for withdrawal.
- Calculating Data Value: Unlike CCPA, APRA does not require businesses to calculate the value of consumer data for loyalty programs.
- Executive Responsibility:
-
- Designated Officers: Covered entities must designate privacy and data security officers, with certification requirements after one year.
- Variations from ADPPA: APRA’s officer requirements differ slightly from ADPPA’s provisions.
-
- Clarification: APRA distinguishes service providers from covered entities, clarifying their roles in data processing.
- Implications: How APRA applies consumer opt-out rights to data transfer practices is a key area to monitor.
-
- Consumer Rights: APRA allows consumers to submit “Do Not Collect” requests to data brokers through an FTC registry.
- Concerns: CPPA highlights weaknesses in APRA’s data broker regulations compared to CCPA.
- Consequential Decision Opt-Out:
-
- Transparency Requirement: Entities making consequential decisions must notify individuals and provide opt-out options under APRA.
- Addressing Concerns: ADPPA lacked such provisions, prompting scrutiny from CPPA.
- Privacy Enhancing Technology Pilot Program:
-
- Program Overview: APRA introduces a pilot program to promote privacy-enhancing technology in the private sector, with FTC audit provisions.
- Comparison with CPPA: APRA’s audit provisions differ from California’s enforcement mechanisms.
-
- State Authority: APRA allows state attorneys general to bring civil actions in federal district courts to enforce privacy laws.
- CPPA’s Concerns: CPPA believes APRA seeks to undermine state authority in privacy enforcement.
-
- Arbitration Limitations: APRA allows individuals to void pre-dispute arbitration agreements for certain privacy violations.
- Litigation Implications: This provision could lead to an increase in privacy rights lawsuits under APRA.
-
- Expanded Rights: APRA allows civil litigation for various violations, unlike CCPA’s focus on data breaches.
- Notice Requirement: APRA mandates a 30-day notice to cure violations, with exceptions for substantial privacy harm.
-
- National Standard: APRA aims to establish a uniform national data privacy standard, preempting state laws.
- Controversy: Preemption is a contentious issue, with CPPA advocating for Congress to set a floor, not a ceiling.
Critical Reception of the American Privacy Rights Act
Despite its ambitious goals, APRA has faced criticism from privacy advocates and lawmakers alike. Some argue that it could preempt existing state laws and lacks sufficient protections, particularly in areas like children’s privacy. However, proponents argue that a strong federal law is necessary to effectively regulate tech giants and provide consistent protections nationwide.
Although there are elements that we believe could use modification, we strongly support a federal law overall. It would streamline compliance and add consistency, which benefits medium and small businesses. Additionally, it extends these rights to all citizens. While this may have little impact on interactions with fundamentally ethical companies, it is especially beneficial in safeguarding consumer rights with bad actors out there.
While APRA is still in its draft stage, organizations must proactively prepare for compliance with evolving privacy regulations. Automation of data management processes and implementation of comprehensive privacy programs are essential steps to ensure readiness for APRA and other privacy laws.
By understanding and embracing the changes brought forth by APRA, organizations can not only comply with regulatory requirements but also foster trust and security in the digital age. APRA represents a significant stride towards a more protected and private digital America, laying the foundation for a future of enhanced data privacy and consumer rights.
If you have questions about how Truyo can help you with compliant SAR response, reach out to hello@truyo.com.