Hammer on US flag showing federal privacy law

New Attempt at Federal Privacy Law Would Complement State Laws, Add Private Right of Action

Another attempt at a federal privacy law has entered the arena, as members of the House Committee on Energy and Commerce have introduced the “American Privacy Rights Act” (APRA). The new proposal differs from prior attempts in essentially cherry-picking elements of the strongest existing state laws, but looks to be generally leaving the issue of children’s privacy online to separate legislation.

As with many of these recent attempts at a comprehensive federal privacy law, the bill has bipartisan support. But its fate is just as uncertain as any of its predecessors during a Congressional period in which data privacy has been expected to be kept in the backseat pending the outcome of another contentious election.

Proposed federal privacy law stronger than some prior efforts

The proposed bill is sponsored by committee Chair Cathy McMorris Rodgers (R, WA) and Senate Committee on Commerce, Science and Transportation Chair Maria Cantwell (D, WA). A statement from the members indicated that they viewed it as the best chance yet to establish a federal privacy law, though the conditions are not much better than they have been since similar efforts stalled during the 2022 election period.

The broad strokes of the bill call for “uniform national data privacy rights”: data minimization requirements for private companies, a consumer right to opt out of transfer and sale of personal data as well as targeted advertising, a right to access and correct or delete data, and a requirement for data processors and collectors to obtain affirmative express consent before “sensitive” categories of data can be transferred to third parties.

One of the big new additions to the proposed federal privacy law is a right to private action, often the primary point of contention that causes Republican support to drop off. Individuals could sue data holders directly for violations, and companies would be restricted from enforcing mandatory arbitration in cases where there is substantial privacy harm. The Federal Trade Commission and individual states would also continue to be able to bring their own legal actions against violators.

In addition to opting out of targeted advertising, the proposed federal privacy law would also allow individuals to opt out of any algorithms a company uses to make automated decisions about things like creditworthiness, employment or housing. Any algorithms of this nature would also be required to undergo annual review to ensure that they are not discriminatory and not posing a risk of harm.

The proposed federal privacy law also addresses data security, and requirements for organizations in both defense of stored personal information and responsibility for company executives when breaches occur. There would also be new notification requirements, including for breaches in which a foreign adversary is thought to have obtained American personal information.

Prospects of proposed bill remain in question

Two potential points of contention jump out upon reading the Energy and Commerce Committee’s general statement on the proposed federal privacy law: an exemption for businesses that are considered small enough, and the fact that state data privacy laws would at least partially be thrown over in favor of these federal requirements.

As it stands, businesses that have less than $40,000,000 in annual revenue and process the data of no more than 200,000 individuals (excluding “transient data” such as credit card payments) would be considered a “small business” by the federal privacy law and exempt from its terms. While that would include the vast majority of American businesses, those that fall into this category could still be regulated by the bill if they earn revenue via sale of covered data to third parties (eliminating potential loopholes for data brokers, who would also have to list themselves on a national registry).

State law has also been an obstacle in past efforts to pass a federal privacy law, most notably with the American Data Privacy and Protection Act of 2022. Then-House Speaker Nancy Pelosi led an effort to block the bill from reaching a floor vote, in the belief that California’s existing privacy law provided superior protection to consumers.

The new bill seems to directly address that potential state roadblock by copying many of the strongest terms of the existing state laws considered to be the best for consumers: those of California, Colorado, Illinois and Washington primarily. It also can potentially defer to state law in certain categories, when the existing law offers a stronger protection. Consumer protection terms, contracting, and civil rights issues are among the areas where a state law may offer more than the federal privacy law would provide.

The proposal will thus likely face some substantial resistance from Republicans in red states that have passed their own, more “business-friendly” data privacy laws (such as Virginia and Utah), as well as broader resistance in the party to any inclusion of private action for consumers. Sponsor Rodgers has voiced support for this element from the right, noting that a patchwork of state laws is confusing and costly in terms of compliance requirements and ultimately not in the interest of businesses, but the bill remains in draft form and conversations with House and Senate leadership about its ultimate shape are ongoing.