The chairs of the House and Senate Commerce Committees recently released a draft federal data privacy bill. This is significant news given a consensus on data privacy legislation has eluded Congress for years. As written, the draft legislation would move away from the notice-and-consent model (i.e., the ability for a business to freely use data so long as the uses of that data are appropriately disclosed) that has defined U.S. data privacy law for decades. The draft legislation would dramatically limit the ability of businesses to use personal information in certain circumstances.
The American Privacy Rights Act ("APRA"), drafted by U.S. Senator Maria Cantwell (D-Washington), Chair of the Senate Committee on Commerce, Science and Transportation, and U.S. Representative Cathy McMorris Rodgers (R-Washington), Chair of the House Committee on Energy and Commerce, would impose significant obligations on many entities doing business in the United States, as discussed below. The bill would pre-empt many provisions of existing state privacy laws like the California Consumer Privacy Act (“CCPA”). Notably, APRA would provide a means for individuals to directly sue businesses for privacy violations under certain circumstances. We'll continue to keep you abreast of any developments regarding the APRA given the significant impact this legislation could have on American businesses.
The act would apply to businesses in the United States (“covered entities”) that either:
- Earned revenue averaging over $40 million over the last three years (or averaging $40 million over the life of a business if that business has existed for less than three years);
- Processed the personal information of more than 200,000 individuals annually (unless such processing was directly related to providing a requested service or product); or
- Transferred any personal information to another entity in exchange for revenue or anything of value.
ARPA would impose significant obligations on covered entities. For example:
- Covered entities and service providers operating on their behalf would be prohibited from collecting, processing, retaining, or transferring data beyond what is necessary, proportionate, or limited to provide or maintain a product or service requested by an individual, or provide a communication reasonably anticipated in the context of the relationship, or a permitted purpose (as outlined by the legislation).
- Covered entities would be prohibited from transferring sensitive data (as defined by the legislation) to a third party without the individual’s affirmative express consent, unless expressly allowed by a stated permitted purpose (as outlined by the legislation).
- Upon request, individuals would have the right to access their personal information that is collected, processed, or retained by a covered entity and to know the name of any third party or service provider to which the data was transferred and the purpose of the transfer.
- Individuals would have the right to opt-out of the transfer of their personal information and the right to opt-out of the use of their personal information for targeted advertising.
- Covered entities and service providers would be required to establish data security practices that are appropriate to the entity’s size, the nature and scope of the data practices, the volume and sensitivity of the data, and the state of the art of safeguards.
- Individuals would have the right to opt out of the use of covered algorithms (e.g., artificial intelligence) for consequential decisions related to housing, employment, education, health care, insurance, credit, or access to places of public accommodation.
- All covered entities would be required to designate one or more covered employees to serve as privacy or data security officers.
As of the date of this note, the draft text has yet to be formally introduced as legislation and neither ranking member (i.e., lead member of the minority party) on either committee has endorsed the discussion draft. Rep. Frank Pallone (D-New Jersey), ranking member of the House Commerce Committee, called the draft bill a "very strong discussion draft" but stated that there are "key areas" where the draft bill could be strengthened, including children's privacy*. Ted Cruz (R-Texas), ranking member of the Senate Commerce Committee, had yet to comment on the draft bill at the time this note was published.
We will continue to follow this draft legislation and report on any major developments.