The newly introduced American Privacy Rights Act (APRA) seeks to harmonize privacy rules across boundaries in response to a growing patchwork of federal and state privacy laws across the United States. While recent bipartisan efforts to create much-needed comprehensive privacy legislation are to be commended, the United States ultimately needs a different type of privacy legislation or at least an improved version of the legislation.
Unlike other major jurisdictions — such as the European Union, the United Kingdom, Canada, and Japan — the United States does not have comprehensive privacy legislation. Instead, a patchwork of sector-specific federal laws and state privacy legislation have contributed to increasingly confusing, overlapping privacy rules that vary across sectors and state boundaries.
Against this backdrop, the House Energy and Commerce Committee Chair Cathy McMorris Rodgers (R-WA) and Senate Commerce Committee Chair Maria Cantwell (D-WA) introduced the APRA last week. The legislation comes after similar efforts — notably the American Data Privacy and Protection Act (ADPPA) — failed to become law in the 117th Congress.
As more Americans are concerned about how their data is used and processed online, Congress does need to establish stronger privacy protections through comprehensive privacy legislation. However, in doing so, U.S. lawmakers also need to ensure that such a framework does not exacerbate regulatory fragmentation and create even more regulatory challenges in the long run.
To that end, an ideal privacy legislation should harmonize privacy rules across both state boundaries and different sectors. The proposed APRA is likely to succeed on the first count but fail on the second because of exemptions for existing sectoral federal laws.
A better approach would entail creating the same legal standards for different sectors while developing distinct rules for different data types according to the risks that they pose. For example, a consumer’s music streaming preferences do not carry the same privacy risks as sensitive financial and medical data, and federal privacy law should create distinct rules accordingly.
Lawmakers should also distinguish between non-sensitive and sensitive data, such as banking records and health data. The strictest privacy rules should apply to sensitive data used to deliver critical services, such as surgery. In contrast, the least strict standard should apply to non-sensitive data used to provide non-critical services, like food delivery.
Nevertheless, even within the framework of the APRA, several amendments could improve the proposed legislation. First, given the overly litigious nature of the U.S. legal system and financial incentives for entrepreneurial lawyers and litigants, the APRA’s expansive private right of action could easily lead to an array of frivolous lawsuits against all types of companies—which could be especially harmful to smaller companies that are just large enough to fall under the APRA’s subject-matter jurisdiction. The proposed law would benefit from narrower, more targeted rights of private action, if not eliminating certain provisions altogether.
Second, at a time of growing concerns about the Federal Trade Commission’s (FTC) regulatory overreach, including from former FTC officials, caution is warranted against granting the Commission greater regulatory powers. Yet, that is precisely what the newly proposed FTC bureaus for privacy enforcement under §17 (a) and new enforcement powers for the Commission under §17 (b) would risk doing. While any eventual U.S. federal privacy legislation will need to delegate enforcement responsibilities to one or more regulatory bodies, the granting of new statutory powers should be counterbalanced by enhanced Congressional oversight and monitoring mechanisms to hold privacy regulator(s) accountable.
Finally, like the previous ADPPA, a major feature of the proposed APRA is that any “Federal, State, Tribal, or local government entity” would be exempt from proposed rules under §2 (10) (C). However, at a time when government entities have emerged as a major source of data breaches and surveillance of Americans, privacy obligations should apply to both private and public entities. According to a survey of U.S. adults in May 2023 from the non-partisan Pew Research Center, 77 percent of Americans responded that they have “little to no understanding” about what the government does with their data (compared to 67 percent for companies), while 71 percent are “concerned” about how the government uses such data (compared to 81 percent for companies). As more cases of government surveillance and data breaches come to light, it is likely that concerns about how government entities collect and use data about individuals will continue to grow further.
While some exceptions might be needed in emergencies and for well-defined national security purposes, such cases should be exceptions, not the norm, and formal criteria for such exceptions should be established in statute. Indeed, notwithstanding certain negative consequences of the European Union’s General Data Protection Regulation (GDPR), one positive aspect has been that its obligations apply both to government and private entities, albeit with some well-defined exceptions on national security, defense, and public security grounds. Instead of mandating wholesale exemption for government entities, the revised APRA should ensure that data of U.S. residents and taxpayers from unlawful activities of government and non-government entities alike.
Other interesting aspects of the proposed APRA warrant more extensive discussion. Cobun Zweifal-Keegan of the International Association of Data Privacy Professionals (IAPP) and Brandon Pugh of the R Street Institute have highlighted several areas in which the APRA differs from the previous ADPPA. These include the APRA’s broader scope (albeit with some exemptions for small businesses), obligations for data minimization by default, algorithmic impact assessments, and additional requirements for larger entities that meet specific thresholds.
These issues all require thorough scrutiny, especially if Congress chooses to move forward with the proposed legislation. While the precise merits of these measures remain subject to debate, one thing should be clear: the United States deserves a better-designed privacy law than what the American Privacy Rights Act offers in its current form.