Federal Privacy Bill Aims To Consolidate US Privacy Law Patchwork

On April 7, 2024, Sen. Maria Cantwell, chair of the Senate Commerce Committee, and Rep. Cathy McMorris Rodgers, chair of the House Energy and Commerce Committee, advanced a new federal privacy bill to the House floor titled the American Privacy Rights Act (APRA). Although it is not yet law, many observers are optimistic that the APRA will move forward due to its bipartisan support and the compromises it reaches on the issues of preemption and private rights of action, which have stalled prior federal privacy bills.

The APRA contains familiar themes that largely mirror comprehensive state privacy laws, including the rights it provides to individuals and the duties it imposes on Covered Entities. This article discusses key departures from state privacy laws and new concepts introduced by the APRA.

Scope: Covered Entities and Data

Covered Entities: The APRA would apply to all businesses that fall under the jurisdiction of the Federal Trade Commission (FTC), common carriers under the Communications Act of 1934 and most nonprofit organizations (collectively, Covered Entities). By contrast, many state privacy laws exempt nonprofits from their scope of covered businesses. The APRA would also apply to affiliates of Covered Entities and entities under common branding, as well as to businesses that process personal data on behalf of a Covered Entity (Service Providers).

Entity-Level Exemptions: Many small businesses, defined as those that generate less than $40 million in annual revenue, process the covered data of less than 200,000 consumers, and do not earn revenue from the transfer of covered data to third parties, would be exempt from compliance. Like most state privacy laws, government entities and their service providers would also be exempt. The APRA also provides an entity-level exemption for businesses already in compliance with certain federal laws like the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA). State privacy laws are mixed on whether to provide entity-level or data-level exemptions for entities covered by such federal laws.

Covered Data: The APRA follows most state privacy laws with a broad definition of Covered Data, including any information that “identifies or is linked or reasonably linkable, alone or in combination with other information, to an individual or a device that identifies or is linked or reasonably linkable to one or more individuals.” The APRA would exclude employee information, de-identified data and publicly available information. Only the California Consumer Privacy Act (CCPA) currently includes employee information in its scope of covered data.

Sensitive Data: The APRA’s definition of sensitive personal data includes most of the same categories that are already considered sensitive by state privacy laws, including government identifiers; health information; biometric information; genetic information; financial account and payment data; precise geolocation information; login credentials; and children’s personal data.

Like most state privacy laws, the APRA would also include an individual’s race, ethnicity, national origin, religion, and sex or sexual behavior as sensitive data. But unlike state privacy laws, the APRA only defines this information as sensitive when it is used in a manner inconsistent with the individual’s reasonable expectation of disclosure.

In a further departure from state law definitions of sensitive data, the APRA would also include private communications; calendar or address book data, phone logs, photos, and recordings for private use; any medium showing a naked or private area of an individual; video programming viewing information; online activities over time across third-party websites; online activities over time on a High-Impact Social Media Site; and other data the FTC defines as sensitive by rule. Only the CCPA currently considers private communications as sensitive data.

Heightened Requirements for Large Data Holders and High-Impact Social Media Companies

Large Data Holders are defined as Covered Entities or Service Providers that had gross revenues of over $250 million in the preceding calendar year and:

• Processed the Covered Data of more than 5 million individuals, 15 million portable connected devices that are reasonably linkable to one or more individuals, and 35 million connected devices that are reasonably linkable to one or more individuals; or
• Processed the sensitive data of over 200,000 individuals, 300,000 portable connected devices that are reasonably linkable to one or more individuals, and 700,000 connected devices that are reasonably linkable to one or more individuals.

The term “connected device” means any electronic equipment capable of connecting to the internet. The term “portable connected device” generally refers to a smartphone, tablet, laptop, smartwatch, or similar portable device that can connect to the internet wirelessly.

The thresholds listed above exclude Covered Entities or Service Providers that solely process personal contact information, login information allowing access to the individual’s account with the Covered Entity or Service Provider, or payment information used solely to process an individual’s order for the Covered Entity’s or Service Provider’s goods or services.

Large Data Holders would be required to:

• Retain and publish on their website copies of every version of their privacy policy for the preceding 10 years;
• Publish a log that describes the date and nature of each material change to their privacy policy for the preceding 10 years;
• Publish a short-form notice of their covered data practices, in 500 words or less, that is concise, clear and readily accessible, and describes individuals’ privacy rights;
• Provide a report to the FTC on their history of processing data subject access requests;
• Designate a data privacy officer and a data security officer on staff;
• File an annual report to the FTC regarding their internal privacy and data controls;
• Conduct privacy impact assessments on their data processing activities at least once every two years; and
• Conduct privacy impact assessments on the use of any algorithms that “pose a consequential risk of harm” to individuals, and provide those assessments to both the FTC and the public.

High-Impact Social Media Companies are defined as Covered Entities that:

• Provide an internet-accessible platform that constitutes an online product or service primarily used by individuals to access or share user-generated content;
• Generate over $3 billion in global annual revenue, including the revenues of any affiliates; and
• Have at least 300 million global monthly active users for at least three of the preceding 12 months.

All Covered Data that a High-Impact Social Media Company collects directly from its users’ online activities (i.e., first-party data) will be treated as sensitive data. As a result, High-Impact Social Media Companies will not be able to transfer first-party data collected from their users to third parties, such as for targeted advertising, without the express consent of the user. By contrast, most state privacy laws only require businesses to provide their users with notice and an opportunity to opt out of data transfers for targeted advertising.

Required Data Privacy and/or Data Security Officers

Similar to Europe’s General Data Protection Regulation (GDPR) and other foreign privacy laws modeled after it, the APRA would require all Covered Entities to establish an internal role for either a data privacy officer or a data security officer. Large Data Holders must fill both roles. These officers must implement a data privacy and security program and facilitate their organization’s ongoing compliance with the APRA. No such requirements exist under state privacy laws.

Partial Regulation of Artificial Intelligence

The APRA would regulate the use of “covered algorithms,” defined as any computational process, including one derived from machine learning, statistics, or other data processing or artificial intelligence techniques, that makes decisions or facilitates human decision making by using Covered Data.

All Covered Entities that develop covered algorithms must evaluate their design, structure and inputs prior to deployment to mitigate potential harm to individuals, including those related to:

• Harm to children;
• Advertising for, or access to, essential services such as housing, education, employment, health care, insurance or credit opportunities;
• Access to places of public accommodation; and
• Disparate impacts based on race, color, religion, national origin, sex, disability status or political party registration.

Additionally, Large Data Holders using covered algorithms must conduct annual impact assessments on such use and provide those assessments to both the FTC and the public.

Enforcement, Preemption and Private Rights of Action

The APRA provides multiple avenues of enforcement, including by:

• The FTC, which is directed to establish a new bureau to carry out its authority and will treat violations as unfair or deceptive business practices;
• State attorneys general, chief consumer protection officers and other officers of a state in federal district court; and
• Individuals, who may file private lawsuits against entities that violate their rights under the APRA to recover actual damages, injunctive relief, declaratory relief, and reasonable attorney fees and costs.

The APRA expressly preserves an individual’s right to seek statutory damages under Illinois’ Biometric Information Privacy Act and Genetic Information Privacy Act for conduct occurring primarily in Illinois, as well as a California resident’s right to seek statutory damages under the CCPA for an action related to a data breach. Otherwise, the APRA would preempt existing comprehensive state privacy laws while preserving an enumerated list of older laws governing such topics as consumer protection, civil rights, wiretapping and eavesdropping, and existing privacy laws that govern certain sectors such as health care and education data.

We will continue to monitor the latest developments in this ongoing legislative movement. Please reach out to the Kramer Levin privacy team for additional assistance on how to comply with emerging privacy laws.