Senator Maria Cantwell (D-Washington) and Representative Cathy McMorris Rodgers (R-Washington) have presented a draft of a federal data privacy law, the American Privacy Rights Act (APRA). APRA would largely preempt the various state privacy laws enacted over the past few years.
Businesses (whether for-profit or non-profit) would be subject to the law if they:
- have average annual gross revenues of $40,000,000 or greater over the three previous years;
- collect, hold, transfer, or process the data of at least 200,000 consumers per year on average; or
- transfer any consumer personal information for value.
Key provisions of APRA would protect consumers by:
- limiting the personal information companies could collect, store, and use, requiring such information to be necessary for the company to provide the consumer with goods and services;
- allowing consumers to prevent the transfer or selling of their information;
- allowing consumers to opt out of the processing of their data if the company changes its privacy policy;
- giving consumers the rights to access, correct, delete, and transfer their data;
- allowing consumers to opt out of targeted advertising;
- preventing companies from using consumer information to discriminate;
- allowing consumers to opt out of a company’s use of algorithms for eligibility for housing, employment, healthcare, credit opportunities, education, insurance, or access to places of public accommodation;
- requiring strong data security standards for which company executives will be accountable; and
- requiring companies to notify consumers when their data is transferred to foreign adversaries.
Notably, not only would the FTC and state AGs have enforcement power, but APRA creates a private right of action. This is in stark contrast to most state laws, such as California's CCPA, which provides a private right of action only in connection with a data breach.
APRA makes some nods to existing state laws, giving consumers certain claims regarding biometric information in Illinois and California residents the ability to recoup statutory damages for data breach claims as permitted under the CCPA.
The likelihood of the bill's becoming law is unknown at this point, but should come clear in the coming month as it makes its way through committee.