US legislators propose American Privacy Rights Act - and it looks quite good
After two decades of calls for national protections, something may actually happen
Americans may soon live under a federal privacy law – a mere two decades after the US Federal Trade Commission urged Congress to regulate online data collection.
On Monday, US representative Cathy McMorris Rodgers (R-WA) and US senator Maria Cantwell (D-WA) announced the American Privacy Rights Act [PDF], which aims to provide a comprehensive set of rules governing how citizens' data is used.
"This bipartisan, bicameral draft legislation is the best opportunity we’ve had in decades to establish a national data privacy and security standard that gives people the right to control their personal information," declared Rodgers and Cantwell, in a joint statement, claiming the bill will give US citizens control over their data and who can sell it.
The largely unrestrained sale of online data has made a mockery of the concept of privacy – a term that has come to mean "data usage" among tech firms. In May 2000, the Federal Trade Commission (FTC) asked Congress to pass a data privacy law, but federal legislation did not flow. At the state level, the Illinois Biometric Information Privacy Act passed in 2008 and has been used against Facebook and others.
The FTC again asked Congress to pass a federal privacy law in 2014.
With respect to data brokers that sell marketing products, the Commission recommends that Congress consider legislation requiring data brokers to provide consumers access to their data – including sensitive data held about them – at a reasonable level of detail, and the ability to opt out of having it shared for marketing purposes.
Again, US lawmakers didn't respond to the challenge and, as a result, online privacy suffered. There was, however, quite a bit of lobbying to prevent privacy rules from being adopted. And of course then came the Facebook/Cambridge Analytica scandal to illustrate what can happen without privacy protections.
But in 2018, Europe enacted its General Data Protection Regulation. Two years later, California passed the California Consumer Privacy Act (CCPA), followed by Virginia and Colorado.
Today, there are 15 state privacy laws – 14 of which, according to Maryland PIRG Foundation and the Electronic Privacy Information Center [PDF], "follow a model that was initially drafted by industry giants such as Amazon."
In 2022, the American Data Privacy and Protection Act (ADPPA) was proposed. Though popular, it was opposed by some lawmakers who were concerned it would preempt stronger protections in states like California.
- US insurers use drone photos to deny home insurance policies
- Head of Israeli cyber spy unit exposed ... by his own privacy mistake
- Academics probe Apple's privacy settings and get lost and confused
- Google will delete data collected from 'private' browsing
Fast forward to last month, and we find Congress voting unanimously on a bill to ban data brokers from selling US citizens' data to foreign adversaries – evidently, some don't like the idea of Putin buying the personal info of US soldiers. And thanks to the overturning of Roe v. Wade by the US Supreme Court in 2022, the privacy risk posed by location and health data has taken on new urgency.
After decades of relying on narrow, industry-specific rules like the Video Privacy Protection Act of 1998, the Health Insurance Portability and Accountability Act (HIPAA) of 1996, and the Children's Online Privacy Protection Act of 1998, the Land of the Free might finally get a meaningful national data protection law.
So what's inside the box?
The American Privacy Rights Act (APRA) would preempt state privacy rules – with exceptions for consumer protection laws, civil rights laws, laws that address the privacy rights of employees and students, data breach notification laws, contract, tort, and criminal laws, public safety laws, and public records laws, among other categories.
It would require impact assessments for large data brokers using a covered algorithm that poses a substantial risk of harm, when applied to: minors; housing, education, employment, health care, insurance, or credit opportunities; public accommodations based on protected characteristics (e.g. race); or disparate impacts based on such characteristics or on political party affiliation.
Large organizations (with more than $250 million in revenue, among other criteria) would be required to have a privacy or data security officer. Small businesses with less than $40 million in revenue are exempt from the APRA.
The legislation gives individuals the right to sue for privacy harms, and disallows mandatory arbitration in claims involving minors or a substantial privacy harm – set at $10,000 – or specific physical or mental harms.
Generally, the bill aims to give people control over their personal data by allowing them to prevent the sale or transfer of their information and to opt out of data processing if a privacy policy changes. It also allows people to opt out of targeted advertising, and requires that businesses that collect data allow people to access, correct, delete, and export their data.
It remains to be seen if the House and the Senate will approve the bill. In 2023, the House passed just 27 pieces of legislation – the lowest number in a century. But perhaps there's enough concern about privacy in this "Do Nothing Congress" that Republican and Democratic lawmakers can manage to get themselves into gear.
State legislators in Maryland have already taken action. On Saturday, the Maryland General Assembly passed the Maryland Online Privacy Protection Act of 2024 (HB 567/SB 541), which awaits approval from governor Wes Moore – a Democrat who has yet to signal his stance on the legislation.
RJ Cross, PIRG's Don't Sell My Data campaign director, endorsed the Maryland bill. "Tech lobbyists have successfully gutted legislation in states across the country, but not in Maryland," Cross opined. "Maryland lawmakers have bucked the trend by standing up to the tech industry in order to protect Maryland consumers." ®