BlogLine

Why data holders and service providers need to be aware of the American Privacy Rights Act (“APRA”) and its compliance requirements 

5/6/24

By: Thomas Livingston

Recently, the Chair of the U.S. House Committee on Energy and Commerce along with the Senate Committee Chair announced a new piece of data privacy legislation entitled the American Privacy Rights Act (the “APRA”) that has garnered significant bipartisan support and is largely based upon the prior iteration of the APRA entitled the American Data Privacy and Protection Act (“ADPPA”), which failed to pass the House of Representatives in 2023. Like the ADPPA, the APRA would establish a federal standard that would preempt state law with certain exceptions. The APRA would also allow the Federal Trade Commission to enforce the APRA along with state attorney generals who would be able to seek injunctive relief, civil penalties, damages, and other forms of restitution. In addition, the APRA would allow individual consumers to file private lawsuits for the enforcement of the APRA and would be able to recover actual damages, injunctive relief, declaratory relief, and attorney’s fees and costs. 

However, beyond these enforcement provisions, there are significant differences between the ADPPA and the APRA.

One of these is APRA’s stricter requirements for data minimization for covered entities and service providers. The APRA defines a covered entity as any entity that determines the purpose and means of collecting, processing, retaining, or transferring covered data and is subject to the FTC Act, with the exceptions of small businesses, governments, entities working on behalf of governments, and fraud-fighting non-profits. These covered entities also include large data holders, which are entities that have $250 million or more in annual revenue, collect, process, retain, or transfer the covered data of more than 5 million individuals or the sensitive data of more than 200 thousand individuals. The APRA defines covered data as information that identifies or is linked or reasonably linkable to an individual or device. Under the APRA, covered entities and service providers operating on their behalf shall not collect, process, retain, or transfer data beyond what is necessary, proportionate, or limited to provide or maintain a product or service requested by an individual, or provide a communication reasonably anticipated in the context of the relationship, or a permitted purpose. Further, the APRA would prohibit a covered entity from transferring sensitive data to a third party without the individual’s affirmative express consent unless there is a state permitted purpose (such as protecting data security, complying with legal obligations, or responding to imminent security incidents or public safety incidents.) What is reasonably necessary and proportionate to comply with these data minimization requirements will be determined by the FTC. 

Another significant difference is APRA’s opt-out provision that would allow a consumer to opt out the transfer of non-sensitive covered data and their use of their personal information for targeted advertising. 

Lastly, a significant difference in the APRA is that it would require a covered entity to designate one or more covered employees to serve as privacy or data security officers. In contrast, large data holders would be required to designate both a privacy and a data security officer, file annual certifications of internal controls and internal reporting structures in compliance with the APRA with the FTC, and conduct privacy impact assessments on a biennial basis. For service providers, the APRA would require them to adhere to the instructions of a covered entity and assist the entity in fulfilling its obligations under the APRA, cease data practices when they have actual knowledge that a covered entity is in violation of the APRA, and must maintain the security and confidentiality of covered data. Even further, covered entities would be required to exercise due diligence in the selection of service providers and in deciding to transfer covered data to a third party, with the FTC to provide guidance regarding compliance with the due diligence requirements. 

At this time, the APRA has not been formally introduced in Congress and there are no dates for the APRA’s formal introduction, however, given that it has bipartisan support and would go into effect only 180 days after its passage, data holders need to determine the following: 

• Whether they are a covered entity under the APRA; 
• If they are a covered entity, do they classify as a large data holder or a service provider; 
• If they classify as a large data holder, does the data holder have a designated privacy and security officer and other structures in place to comply with FTC reporting requirements under the APRA; 
• If they classify as a service provider, do they have resources and structures in place to assist covered entities in complying with the APRA and know when entities are not in compliance with the APRA; 
• What the FTC defines as reasonably necessary and proportionate to comply with data minimization requirements under the APRA; 
• What the FTC defines as exercising due diligence in the selection of service providers and in deciding to transfer covered data to a third party; and 
• Whether any federal or state privacy or consumer protection laws, such as the California Privacy Rights Act or the Genetic Information Privacy Act, are not preempted by the APRA. 

In summary, the APRA would provide a uniform guideline for data holders and service providers for data minimization that would aim to preempt most state law. However, it would also provide stricter requirements and provide consumers with greater ability to enforce these laws through private actions that would also provide an avenue for recovering attorney’s fees and costs. More importantly, given that the APRA would go into effect only 180 days after its passage, data holders and service providers should review the guidelines published by the FTC immediately and ensure they have resources in place to comply with these guidelines to avoid the risk of violating the APRA.  

For more information, please contact Thomas Livingston at thomas.livingston@fmglaw.com or your local FMG attorney.