American Privacy Rights Act

Last updated

The American Privacy Rights Act (APRA) is a comprehensive data privacy law proposed in the United States. It would place limitations on the kinds of data companies can collect about their users, create processes for users to access or remove data about them, and allow users opt-out from having data sold by data brokers. The bipartisan proposal was introduced in April 2024 by Senator Maria Cantwell (D-WA), and Representative Cathy McMorris Rodgers (R-WA). Cantwell is Chair of the Senate Committee on Commerce, Science, and Transportation and McMorris Rodgers is Chair of the House Committee on Energy and Commerce. If passed, it would supersede a collection of state-based laws which have emerged in the absence of a comprehensive federal data privacy law.

Contents

Background

The Constitution of the United States and the United States Bill of Rights do not explicitly include a right to privacy, no federal law takes a holistic approach to privacy legislation, and the US has no national data protection authority. [1] It is the only G20 country without such a law. [2] As a result, in most states and for most companies there are no limits to how they use, share, or sell their users data and no requirements to notify users when or how they do so. [3]

The laws which have been passed focus on specific types of data or specific populations of data subjects. The Privacy Act of 1974, the Health Insurance Portability and Accountability Act (HIPPA) of 1996, and the Children's Online Privacy Protection Act (COPPA) of 1998, for example, regulate the use of data by federal agencies, how patients' health data is communicated, and aspects of collecting data about children. [4] [5] In the absence of a federal data privacy law, several states have passed laws to like the 2008 Biometric Information Privacy Act in Illinois and the 2018 California Consumer Privacy Act (CCPA). [5] As of 2021, only California, Colorado, and Virginia had enacted comprehensive data privacy legislation. [3] Proponents of broad data privacy legislation argue that it provides a more effective and durable solution to the problems many narrower bills attempt to address through focus on specific companies like TikTok. [6]

There have been multiple attempts to pass a comprehensive data privacy law, such as the Personal Data Privacy and Security Act of 2009 and the American Data Privacy and Protection Act (ADPPA) in 2022. Both had bipartisan support and passed committees, but were not brought up for a vote. [7] [8] [9] A common sticking point in debates over these laws is the relationship between the federal law and current or future state laws. [10] There has also been disagreement about enforcement, including whether users could use the laws as a basis to sue companies directly for privacy violations. [11] Senator Cantwell, one of the lawmakers behind the APRA, opposed the ADPPA on the basis of its enforcement. [12]

The idea of a comprehensive federal data protection law gained increased attention and support in the early 2020s. [13] Privacy experts, technologist journalists, and consumer advocacy organizations have spoken in support of ADPPA and others, like APRA, which focus on "data minimization" rather than "notice and consent" ("notice and choice") frameworks. [14] [15] Notice and consent is the standard by which a company displays a notification to users inviting them to read lengthy legal documents about their use of data and asking them to accept the terms in order to continue using the website or application. It has been widely criticized for its failure to provide real protections for user privacy. [16] [17] Data minimization places limits on what data can be collected in the first place rather than simply dictate how use of data is communicated. [17] [13] US President Joe Biden included the importance of such a data privacy law in his 2023 State of the Union address. [18]

Provisions

The American Privacy Rights Act would create limitations on the kinds of data companies can collect about their users. [19] [12] [20] It includes provisions to give users the ability to access the data companies have about them as well as to make changes or remove such data and restricts the ability of companies to impose mandatory arbitration. It creates a registry for data brokers and includes opt-out procedures for consumers who do not want their data sold or used for personalized advertising. [11] [19]

APRA expands some of the California law's enforcement mechanisms, enabling not just the Federal Trade Commission (FTC) to take legal action against violators, but also state attorneys general and private citizens. [11] Except in cases of a "substantial privacy harm", companies have a 30-day window after being notified of a violation to make a correction. [12]

The legislation would apply to businesses that sell users data or which have more than $40 million in annual revenue, intended to apply primarily to those with greater than $250 million in revenue ("large data holders"). [21] [11]

Legislative history

Maria Cantwell (cropped).jpg
Cathy McMorris Rodgers official photo.jpg
Democratic Senator Maria Cantwell (left) and Republican Representative Cathy McMorris Rodgers (right) introduced the legislation.

The bipartisan proposal was introduced in April 2024 by two Washington lawmakers, Senator Maria Cantwell and Representative Cathy McMorris Rodgers. [10] Cantwell is a Democrat who serves as Chair of the Senate Committee on Commerce, Science, and Transportation and McMorris Rodgers is a Republican who chairs the House Committee on Energy and Commerce. [19] Cantwell did not support the ADPPA, which is part of why that legislation stalled, according to The Verge . [12] She wanted individuals to be more empowered to sue companies for violating their privacy rights. In that and other ways, some state laws took privacy measures further than the ADPPA, leading to some Democratic opposition for the way the federal policy would supersede the states. APRA would still override most of the state laws, but was written to incorporate elements of those laws in part to overcome such objections. [22]

Reception

According to The Washington Post, the law is a "major breakthrough" in an "issue that has befuddled lawmakers despite near-universal agreement -- in Silicon Valley and in Washington -- on the need for federal standards to determine how much information companies can collect from consumers online". [22]

McMorris Rodgers' Democratic counterpart on the House committee, Frank Pallone of New Jersey, called the draft "very strong" but said he wanted to see greater protections applied to children. [12] Representative Jan Schakowsky, Ranking Member on the committee's Innovation, Data, and Commerce subcommittee, expressed optimism about the proposal and cited "an urgency that's felt to get this done". [6]

The digital rights advocacy organization Electronic Frontier Foundation was positive about the basic components of the bill, but presented many ways in which the bill should be strengthened or modified to increase consumer protections, including allowing states to pass more strict laws and limiting the extent to which companies can share data with the government. [23]

Stewart Baker, in the Volokh Conspiracy , criticized the bill's requirement that companies assess the extent to which their algorithms harm certain groups more than others and document any measures they take to mitigate such harms. Baker argued that efforts to curb discrimination would themselves lead to discrimination against other groups. [24]

Advertising industry advocates expressed concern at the way restrictions on data security and targeted advertising could affect dominant business models. [25]

Related Research Articles

<span class="mw-page-title-main">Gramm–Leach–Bliley Act</span> Act of the 106th United States Congress (1999–2001)

The Gramm–Leach–Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, is an act of the 106th United States Congress (1999–2001). It repealed part of the Glass–Steagall Act of 1933, removing barriers in the market among banking companies, securities companies, and insurance companies that prohibited any one institution from acting as any combination of an investment bank, a commercial bank, and an insurance company. With the passage of the Gramm–Leach–Bliley Act, commercial banks, investment banks, securities firms, and insurance companies were allowed to consolidate. Furthermore, it failed to give to the SEC or any other financial regulatory agency the authority to regulate large investment bank holding companies. The legislation was signed into law by President Bill Clinton.

Information privacy is the relationship between the collection and dissemination of data, technology, the public expectation of privacy, contextual information norms, and the legal and political issues surrounding them. It is also known as data privacy or data protection.

<span class="mw-page-title-main">Fair Credit Reporting Act</span> U.S. federal legislation

The Fair Credit Reporting Act (FCRA), 15 U.S.C. § 1681 et seq., is federal legislation enacted to promote the accuracy, fairness, and privacy of consumer information contained in the files of consumer reporting agencies. It was intended to shield consumers from the willful and/or negligent inclusion of erroneous data in their credit reports. To that end, the FCRA regulates the collection, dissemination, and use of consumer information, including consumer credit information. Together with the Fair Debt Collection Practices Act (FDCPA), the FCRA forms the foundation of consumer rights law in the United States. It was originally passed in 1970, and is enforced by the U.S. Federal Trade Commission, the Consumer Financial Protection Bureau, and private litigants.

Center for Democracy & Technology (CDT) is a Washington, D.C.-based 501(c)(3) nonprofit organisation that advocates for digital rights and freedom of expression. CDT seeks to promote legislation that enables individuals to use the internet for purposes of well-intent, while at the same time reducing its potential for harm. It advocates for transparency, accountability, and limiting the collection of personal information.

<span class="mw-page-title-main">Privacy laws of the United States</span>

Privacy laws of the United States deal with several different legal concepts. One is the invasion of privacy, a tort based in common law allowing an aggrieved party to bring a lawsuit against an individual who unlawfully intrudes into their private affairs, discloses their private information, publicizes them in a false light, or appropriates their name for personal gain.

A privacy policy is a statement or legal document that discloses some or all of the ways a party gathers, uses, discloses, and manages a customer or client's data. Personal information can be anything that can be used to identify an individual, not limited to the person's name, address, date of birth, marital status, contact information, ID issue, and expiry date, financial records, credit information, medical history, where one travels, and intentions to acquire goods and services. In the case of a business, it is often a statement that declares a party's policy on how it collects, stores, and releases personal information it collects. It informs the client what specific information is collected, and whether it is kept confidential, shared with partners, or sold to other firms or enterprises. Privacy policies typically represent a broader, more generalized treatment, as opposed to data use statements, which tend to be more detailed and specific.

Personal data, also known as personal information or personally identifiable information (PII), is any information related to an identifiable person.

Information privacy, data privacy or data protection laws provide a legal framework on how to obtain, use and store data of natural persons. The various laws around the world describe the rights of natural persons to control who is using its data. This includes usually the right to get details on which data is stored, for what purpose and to request the deletion in case the purpose is not given anymore.

Privacy law is a set of regulations that govern the collection, storage, and utilization of personal information from healthcare, governments, companies, public or private entities, or individuals.

<span class="mw-page-title-main">Consumer Federation of California</span>

The Consumer Federation of California (CFC) was founded in 1960 as a nonprofit consumer advocacy organization. CFC campaigns for state and federal laws and appears at the California state legislature in support of consumer-focused regulations. The Consumer Federation of California is led by Executive Director Richard Holober and President Lucinda Sikes.

<span class="mw-page-title-main">FTC regulation of behavioral advertising</span> US Regulations on Advertising Targeted by Online Activity

The United States Federal Trade Commission (FTC) has been involved in oversight of the behavioral targeting techniques used by online advertisers since the mid-1990s. These techniques, initially called "online profiling", are now referred to as "behavioral targeting"; they are used to target online behavioral advertising (OBA) to consumers based on preferences inferred from their online behavior. During the period from the mid-1990s to the present, the FTC held a series of workshops, published a number of reports, and gave numerous recommendations regarding both industry self-regulation and Federal regulation of OBA. In late 2010, the FTC proposed a legislative framework for U.S. consumer data privacy including a proposal for a "Do Not Track" mechanism. In 2011, a number of bills were introduced into the United States Congress that would regulate OBA.

<span class="mw-page-title-main">Julie Brill</span> American lawyer

Julie Simone Brill is an American lawyer who serves as Chief Privacy Officer and Corporate Vice President for Global Privacy, Safety and Regulatory Affairs at Microsoft. Prior to her role at Microsoft, Brill was nominated by President Barack Obama on November 16, 2009, and confirmed unanimously by the US Senate to serve as Commissioner of the US Federal Trade Commission on March 3, 2010. Brill served as a Commissioner of the Federal Trade Commission (FTC) from 2010 to 2016.

Do Not Track legislation protects Internet users' right to choose whether or not they want to be tracked by third-party websites. It has been called the online version of "Do Not Call". This type of legislation is supported by privacy advocates and opposed by advertisers and services that use tracking information to personalize web content. Do Not Track (DNT) is a formerly official HTTP header field, designed to allow internet users to opt-out of tracking by websites—which includes the collection of data regarding a user's activity across multiple distinct contexts, and the retention, use, or sharing of that data outside its context. Efforts to standardize Do Not Track by the World Wide Web Consortium did not reach their goal and ended in September 2018 due to insufficient deployment and support.

<span class="mw-page-title-main">General Data Protection Regulation</span> EU regulation on the processing of personal data

The General Data Protection Regulation is a European Union regulation on information privacy in the European Union (EU) and the European Economic Area (EEA). The GDPR is an important component of EU privacy law and human rights law, in particular Article 8(1) of the Charter of Fundamental Rights of the European Union. It also governs the transfer of personal data outside the EU and EEA. The GDPR's goals are to enhance individuals' control and rights over their personal information and to simplify the regulations for international business. It supersedes the Data Protection Directive 95/46/EC and, among other things, simplifies the terminology.

The Biometric Information Privacy Act is a law set forth on October 3, 2008 in the U.S. state of Illinois, in an effort to regulate the collection, use, and handling of biometric identifiers and information by private entities. Notably, the Act does not apply to government entities. While Texas and Washington are the only other states that implemented similar biometric protections, BIPA is the most stringent. The Act prescribes $1,000 per violation, and $5,000 per violation if the violation is intentional or reckless. Because of this damages provision, the BIPA has spawned several class action lawsuits.

Zack Stephenson is an American politician and member of the Minnesota House of Representatives. A member of the Minnesota Democratic–Farmer–Labor Party (DFL), he represents District 35A in the northwestern Twin Cities metropolitan area.

Privacy laws vary from state to state within the United States of America. Several states have recently passed new legislation that adapt to changes in cyber security laws, medical privacy laws, and other privacy related laws. State laws are typically extensions of existing United States federal laws, expanding them or changing the implementation of the law.

<span class="mw-page-title-main">American Data Privacy and Protection Act</span> United States proposed federal online privacy bill

The American Data Privacy and Protection Act (ADPPA) was a United States proposed federal online privacy bill that, if enacted into law, would have regulated how organizations keep and use consumer data. The bipartisan, bicameral bill was the first American consumer privacy bill to pass committee markup, which it did with near unanimity.

Data minimization is the principle of collecting, processing and storing only the necessary amount of personal information required for a specific purpose. The principle emanates from the realisation that processing unnecessary data is creating unnecessary risks for the data subject without creating any current benefit or value. The risks of processing personal data vary from identity theft to unreliable inferences resulting in incorrect, wrongful and potentially dangerous decisions.

<span class="mw-page-title-main">Protecting Americans from Foreign Adversary Controlled Applications Act</span> United States legislation

The Protecting Americans from Foreign Adversary Controlled Applications Act (PAFACA) is an act of Congress that was signed into law on April 24, 2024, as part of the National Security Act, 2024. It would ban social networking apps within 270 to 360 days if they are determined by the president of the United States and relevant provisions to be a "foreign adversary controlled application". The act explicitly applies to Beijing-based ByteDance Ltd. and its subsidiaries—including TikTok—without the need for additional determination. It ceases to be applicable if an app is sold and no longer considered by the president to be controlled by a foreign adversary of the United States.

References

  1. "The Right of Privacy The Issue: Does the Constitution protect the right of privacy? If so, what aspects of privacy receive protection?". University of Missouri – Kansas City School of Law. Archived from the original on September 8, 2020. Retrieved September 29, 2020.
  2. Roose, Kevin; Newton, Casey; Land, Davis; Cohn, Rachel; Jones, Whitney; Poyant, Jen; Moxley, Alyssa; Powell, Dan; Niemisto, Rowan (April 12, 2024). "A.I.'s Data Wall, a Surprise Privacy Bill, and What Happened to the TikTok Ban?". The New York Times . ISSN   0362-4331. Archived from the original on April 20, 2024. Retrieved April 20, 2024.
  3. 1 2 "The State of Consumer Data Privacy Laws in the US (And Why It Matters)". Wirecutter . September 6, 2021. Archived from the original on April 13, 2024. Retrieved April 12, 2024.
  4. "Senators reintroduce COPPA 2.0 bill to tighten child safety online". Engadget . May 3, 2023. Archived from the original on February 18, 2024. Retrieved April 12, 2024.
  5. 1 2 Murray, Conor. "U.S. Data Privacy Protection Laws: A Comprehensive Guide". Forbes . Archived from the original on April 8, 2024. Retrieved April 12, 2024.
  6. 1 2 Feiner, Lauren (April 17, 2024). "A real privacy law? House lawmakers are optimistic this time". The Verge . Archived from the original on April 19, 2024. Retrieved April 20, 2024.
  7. "Personal Data Privacy and Security Act of 2009 (2009 - S. 1490)". GovTrack.us. Archived from the original on October 9, 2022. Retrieved April 12, 2024.
  8. "What's Stopping the American Data Privacy Act From Passing?". Gizmodo . August 18, 2022. Archived from the original on September 26, 2023. Retrieved April 12, 2024.
  9. McGill, Margaret Harding (August 4, 2022). "Online privacy bill faces daunting roadblocks". Axios . Archived from the original on April 9, 2024. Retrieved April 12, 2024.
  10. 1 2 Fung, Brian (April 8, 2024). "US lawmakers unveil a plan to give all Americans a right to online privacy | CNN Business". CNN . Archived from the original on April 12, 2024. Retrieved April 12, 2024.
  11. 1 2 3 4 Kelly, Makena. "A Breakthrough Online Privacy Proposal Hits Congress". Wired . ISSN   1059-1028. Archived from the original on April 12, 2024. Retrieved April 12, 2024.
  12. 1 2 3 4 5 Feiner, Lauren (April 8, 2024). "Lawmakers unveil new bipartisan digital privacy bill after years of impasse". The Verge . Archived from the original on April 11, 2024. Retrieved April 12, 2024.
  13. 1 2 Edelman, Gilad. "Congress Might Pass an Actually Good Privacy Bill". Wired . ISSN   1059-1028. Archived from the original on July 29, 2022. Retrieved April 12, 2024.
  14. Klar, Rebecca (April 9, 2024). "5 things to know about the bipartisan data privacy bill". The Hill . Archived from the original on April 12, 2024. Retrieved April 12, 2024.
  15. Jerome, Joseph (April 11, 2024). "Can the American Privacy Rights Act Accomplish Data Minimization? | TechPolicy.Press". Tech Policy Press. Archived from the original on April 11, 2024. Retrieved April 12, 2024.
  16. "Companies, not people, should bear the burden of protecting data". Brookings Institution . Archived from the original on December 9, 2023. Retrieved April 12, 2024.
  17. 1 2 "How "Notice and Consent" Fails to Protect Our Privacy". New America . Archived from the original on April 18, 2024. Retrieved April 12, 2024.
  18. Newman, Lily Hay. "Data Privacy Is Now a Must-Hit US State of the Union Topic". Wired . ISSN   1059-1028. Archived from the original on April 10, 2024. Retrieved April 12, 2024.
  19. 1 2 3 "Cantwell, McMorris Rodgers strike bipartisan deal on landmark data privacy bill | The Spokesman-Review". The Spokesman-Review . Archived from the original on April 11, 2024. Retrieved April 12, 2024.
  20. "Bipartisan bill would strengthen data privacy protections". NewsNation . April 18, 2024. Archived from the original on April 20, 2024. Retrieved April 20, 2024.
  21. "The American Privacy Rights Act of 2024: Section-by-Section Summary". United States Senate Committee on Commerce, Science, & Transportation. 2024. Archived from the original on April 13, 2024. Retrieved April 12, 2024.
  22. 1 2 Lima-Strong, Cristiano (April 7, 2024). "Lawmakers unveil sprawling plan to expand online privacy protections". The Washington Post . Archived from the original on April 7, 2024. Retrieved April 12, 2024.
  23. Trujillo, Mario (April 16, 2024). "Americans Deserve More Than the Current American Privacy Rights Act". Electronic Frontier Foundation . Archived from the original on April 19, 2024. Retrieved April 20, 2024.
  24. Baker, Stewart (May 15, 2024). "Congress is Preparing to Restore Quotas in College Admissions". The Volokh Conspiracy. Retrieved May 17, 2024.
  25. Sloane, Garett (April 19, 2024). "Ad Targeting May Be Banned--Inside the US Privacy Proposal That Could Jeopardize the Marketing Tactic". Ad Age . Archived from the original on April 20, 2024. Retrieved April 20, 2024.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.